diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index f252e36b6..25a151a78 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -90,12 +90,9 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
90 | #ifdef SYS_process_vm_writev | 90 | #ifdef SYS_process_vm_writev |
91 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | 91 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); |
92 | #endif | 92 | #endif |
93 | 93 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension | |
94 | // mknod removed in 0.9.29 - it brakes Zotero extension | 94 | // filter_add_blacklist(SYS_mknod, 0); |
95 | //#ifdef SYS_mknod | 95 | //#endif |
96 | // filter_add_blacklist(SYS_mknod, 0); | ||
97 | //#endif | ||
98 | |||
99 | #ifdef SYS_sysfs | 96 | #ifdef SYS_sysfs |
100 | filter_add_blacklist(fd, SYS_sysfs, 0); | 97 | filter_add_blacklist(fd, SYS_sysfs, 0); |
101 | #endif | 98 | #endif |
@@ -192,6 +189,57 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
192 | #ifdef SYS_get_kernel_syms | 189 | #ifdef SYS_get_kernel_syms |
193 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); | 190 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); |
194 | #endif | 191 | #endif |
192 | |||
193 | // 0.9.45 | ||
194 | #ifdef SYS_bpf | ||
195 | filter_add_blacklist(fd, SYS_bpf, 0); | ||
196 | #endif | ||
197 | #ifdef SYS_clock_settime | ||
198 | filter_add_blacklist(fd, SYS_clock_settime, 0); | ||
199 | #endif | ||
200 | //#ifdef SYS_clone - in use by Firejail | ||
201 | // filter_add_blacklist(fd, SYS_clone, 0); | ||
202 | //#endif | ||
203 | #ifdef SYS_personality | ||
204 | filter_add_blacklist(fd, SYS_personality, 0); | ||
205 | #endif | ||
206 | #ifdef SYS_process_vm_writev | ||
207 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
208 | #endif | ||
209 | #ifdef SYS_query_module | ||
210 | filter_add_blacklist(fd, SYS_query_module, 0); | ||
211 | #endif | ||
212 | //#ifdef SYS_quotactl - in use by Firefox | ||
213 | // filter_add_blacklist(fd, SYS_quotactl, 0); | ||
214 | //#endif | ||
215 | //#ifdef SYS_setns - in use by Firejail | ||
216 | // filter_add_blacklist(fd, SYS_setns, 0); | ||
217 | //#endif | ||
218 | #ifdef SYS_settimeofday | ||
219 | filter_add_blacklist(fd, SYS_settimeofday, 0); | ||
220 | #endif | ||
221 | #ifdef SYS_stime | ||
222 | filter_add_blacklist(fd, SYS_stime, 0); | ||
223 | #endif | ||
224 | #ifdef SYS_umount | ||
225 | filter_add_blacklist(fd, SYS_umount, 0); | ||
226 | #endif | ||
227 | //#ifdef SYS_unshare - in use by Firejail | ||
228 | // filter_add_blacklist(fd, SYS_unshare, 0); | ||
229 | //#endif | ||
230 | #ifdef SYS_userfaultfd | ||
231 | filter_add_blacklist(fd, SYS_userfaultfd, 0); | ||
232 | #endif | ||
233 | #ifdef SYS_ustat | ||
234 | filter_add_blacklist(fd, SYS_ustat, 0); | ||
235 | #endif | ||
236 | #ifdef SYS_vm86 | ||
237 | filter_add_blacklist(fd, SYS_vm86, 0); | ||
238 | #endif | ||
239 | #ifdef SYS_vm86old | ||
240 | filter_add_blacklist(fd, SYS_vm86old, 0); | ||
241 | #endif | ||
242 | |||
195 | } | 243 | } |
196 | 244 | ||
197 | // default list | 245 | // default list |