diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 83 |
1 files changed, 82 insertions, 1 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 76e8fc81e..7366c1268 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -490,7 +490,7 @@ int seccomp_filter_drop(void) { | |||
490 | filter_add_blacklist(SYS_process_vm_writev, 0); | 490 | filter_add_blacklist(SYS_process_vm_writev, 0); |
491 | #endif | 491 | #endif |
492 | 492 | ||
493 | // mknod removed in 0.9.29 | 493 | // mknod removed in 0.9.29 - it brakes Zotero extension |
494 | //#ifdef SYS_mknod | 494 | //#ifdef SYS_mknod |
495 | // filter_add_blacklist(SYS_mknod, 0); | 495 | // filter_add_blacklist(SYS_mknod, 0); |
496 | //#endif | 496 | //#endif |
@@ -520,6 +520,87 @@ int seccomp_filter_drop(void) { | |||
520 | #ifdef SYS_kcmp | 520 | #ifdef SYS_kcmp |
521 | filter_add_blacklist(SYS_kcmp, 0); | 521 | filter_add_blacklist(SYS_kcmp, 0); |
522 | #endif | 522 | #endif |
523 | |||
524 | // 0.9.32 | ||
525 | #ifdef SYS_add_key | ||
526 | filter_add_blacklist(SYS_add_key, 0); | ||
527 | #endif | ||
528 | #ifdef SYS_request_key | ||
529 | filter_add_blacklist(SYS_request_key, 0); | ||
530 | #endif | ||
531 | #ifdef SYS_keyctl | ||
532 | filter_add_blacklist(SYS_keyctl, 0); | ||
533 | #endif | ||
534 | #ifdef SYS_uselib | ||
535 | filter_add_blacklist(SYS_uselib, 0); | ||
536 | #endif | ||
537 | #ifdef SYS_acct | ||
538 | filter_add_blacklist(SYS_acct, 0); | ||
539 | #endif | ||
540 | #ifdef SYS_modify_ldt | ||
541 | filter_add_blacklist(SYS_modify_ldt, 0); | ||
542 | #endif | ||
543 | //#ifdef SYS_unshare | ||
544 | // filter_add_blacklist(SYS_unshare, 0); | ||
545 | //#endif | ||
546 | #ifdef SYS_pivot_root | ||
547 | filter_add_blacklist(SYS_pivot_root, 0); | ||
548 | #endif | ||
549 | //#ifdef SYS_quotactl | ||
550 | // filter_add_blacklist(SYS_quotactl, 0); | ||
551 | //#endif | ||
552 | #ifdef SYS_io_setup | ||
553 | filter_add_blacklist(SYS_io_setup, 0); | ||
554 | #endif | ||
555 | #ifdef SYS_io_destroy | ||
556 | filter_add_blacklist(SYS_io_destroy, 0); | ||
557 | #endif | ||
558 | #ifdef SYS_io_getevents | ||
559 | filter_add_blacklist(SYS_io_getevents, 0); | ||
560 | #endif | ||
561 | #ifdef SYS_io_submit | ||
562 | filter_add_blacklist(SYS_io_submit, 0); | ||
563 | #endif | ||
564 | #ifdef SYS_io_cancel | ||
565 | filter_add_blacklist(SYS_io_cancel, 0); | ||
566 | #endif | ||
567 | #ifdef SYS_remap_file_pages | ||
568 | filter_add_blacklist(SYS_remap_file_pages, 0); | ||
569 | #endif | ||
570 | #ifdef SYS_mbind | ||
571 | filter_add_blacklist(SYS_mbind, 0); | ||
572 | #endif | ||
573 | #ifdef SYS_get_mempolicy | ||
574 | filter_add_blacklist(SYS_get_mempolicy, 0); | ||
575 | #endif | ||
576 | #ifdef SYS_set_mempolicy | ||
577 | filter_add_blacklist(SYS_set_mempolicy, 0); | ||
578 | #endif | ||
579 | #ifdef SYS_migrate_pages | ||
580 | filter_add_blacklist(SYS_migrate_pages, 0); | ||
581 | #endif | ||
582 | #ifdef SYS_move_pages | ||
583 | filter_add_blacklist(SYS_move_pages, 0); | ||
584 | #endif | ||
585 | #ifdef SYS_vmsplice | ||
586 | filter_add_blacklist(SYS_vmsplice, 0); | ||
587 | #endif | ||
588 | //#ifdef SYS_set_robust_list | ||
589 | // filter_add_blacklist(SYS_set_robust_list, 0); | ||
590 | //#endif | ||
591 | //#ifdef SYS_get_robust_list | ||
592 | // filter_add_blacklist(SYS_get_robust_list, 0); | ||
593 | //#endif | ||
594 | #ifdef SYS_perf_event_open | ||
595 | filter_add_blacklist(SYS_perf_event_open, 0); | ||
596 | #endif | ||
597 | |||
598 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | ||
599 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | ||
600 | |||
601 | // 32bit | ||
602 | // filter_add_blacklist(SYS_personality, 0); // test wine | ||
603 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | ||
523 | } | 604 | } |
524 | 605 | ||
525 | // default seccomp filter with additional drop list | 606 | // default seccomp filter with additional drop list |