diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/disable-common.inc | 3 | ||||
| -rw-r--r-- | etc/disable-programs.inc | 2 | ||||
| -rw-r--r-- | etc/templates/syscalls.txt | 26 |
3 files changed, 29 insertions, 2 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e1762719f..5fc65193a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -284,8 +284,7 @@ read-only ${HOME}/bin | |||
| 284 | read-only ${HOME}/.bin | 284 | read-only ${HOME}/.bin |
| 285 | read-only ${HOME}/.local/bin | 285 | read-only ${HOME}/.local/bin |
| 286 | read-only ${HOME}/.cargo/bin | 286 | read-only ${HOME}/.cargo/bin |
| 287 | blacklist ${HOME}/.cargo/registry | 287 | read-only ${HOME}/.cargo/env |
| 288 | blacklist ${HOME}/.cargo/config | ||
| 289 | 288 | ||
| 290 | # Write-protection for desktop entries | 289 | # Write-protection for desktop entries |
| 291 | read-only ${HOME}/.config/menus | 290 | read-only ${HOME}/.config/menus |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index d4808f413..260d317d1 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -52,6 +52,8 @@ blacklist ${HOME}/.bibletime | |||
| 52 | blacklist ${HOME}/.bitcoin | 52 | blacklist ${HOME}/.bitcoin |
| 53 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
| 54 | blacklist ${HOME}/.bzf | 54 | blacklist ${HOME}/.bzf |
| 55 | blacklist ${HOME}/.cargo/registry | ||
| 56 | blacklist ${HOME}/.cargo/config | ||
| 55 | blacklist ${HOME}/.claws-mail | 57 | blacklist ${HOME}/.claws-mail |
| 56 | blacklist ${HOME}/.cliqz | 58 | blacklist ${HOME}/.cliqz |
| 57 | blacklist ${HOME}/.clonk | 59 | blacklist ${HOME}/.clonk |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
| @@ -1,6 +1,9 @@ | |||
| 1 | Hints for writing seccomp.drop lines | 1 | Hints for writing seccomp.drop lines |
| 2 | ==================================== | 2 | ==================================== |
| 3 | 3 | ||
| 4 | Definition of groups | ||
| 5 | -------------------- | ||
| 6 | |||
| 4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
| 5 | @module=delete_module,finit_module,init_module | 8 | @module=delete_module,finit_module,init_module |
| 6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
| @@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines | |||
| 20 | 23 | ||
| 21 | @default-keep=execve,prctl | 24 | @default-keep=execve,prctl |
| 22 | 25 | ||
| 26 | Inheritance of groups | ||
| 27 | --------------------- | ||
| 23 | 28 | ||
| 24 | +---------+----------------+---------------+ | 29 | +---------+----------------+---------------+ |
| 25 | | @clock | @cpu-emulation | @default-keep | | 30 | | @clock | @cpu-emulation | @default-keep | |
| @@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines | |||
| 41 | | @default-nodebuggers | | 46 | | @default-nodebuggers | |
| 42 | +----------------------+ | 47 | +----------------------+ |
| 43 | 48 | ||
| 49 | common used seccomp.drop lines | ||
| 50 | ------------------------------ | ||
| 44 | 51 | ||
| 45 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
| 46 | 53 | ||
| 47 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
| 55 | |||
| 56 | Building a seccomp.drop line if seccomp breaks a programm | ||
| 57 | --------------------------------------------------------- | ||
| 58 | |||
| 59 | ``` | ||
| 60 | $ journalctl --grep=syscall --follow | ||
| 61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | ||
| 62 | $ firejail --debug-syscalls | grep 161 | ||
| 63 | 161 - chroot | ||
| 64 | ``` | ||
| 65 | |||
| 66 | TODO: write a short explanation | ||
| 67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | ||
| 68 | |||
| 69 | see also | ||
| 70 | -------- | ||
| 71 | |||
| 72 | - contrib/syscalls.sh | ||
| 73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||