diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/seccomp.c | 21 | ||||
-rw-r--r-- | src/firejail/usage.c | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
3 files changed, 25 insertions, 13 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7a015963b..b0c960754 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) { | |||
373 | BLACKLIST(317), // move_pages | 373 | BLACKLIST(317), // move_pages |
374 | BLACKLIST(316), // vmsplice | 374 | BLACKLIST(316), // vmsplice |
375 | BLACKLIST(61), // chroot | 375 | BLACKLIST(61), // chroot |
376 | BLACKLIST(243), // set_thread_area | ||
377 | BLACKLIST(88), // reboot | ||
378 | BLACKLIST(169), // nfsservctl | ||
379 | BLACKLIST(130), // get_kernel_syms | ||
376 | RETURN_ALLOW | 380 | RETURN_ALLOW |
377 | }; | 381 | }; |
378 | 382 | ||
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
562 | // 32bit | 566 | // 32bit |
563 | // filter_add_blacklist(SYS_personality, 0); // test wine | 567 | // filter_add_blacklist(SYS_personality, 0); // test wine |
564 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | 568 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine |
569 | |||
570 | // 0.9.39 | ||
571 | #ifdef SYS_set_thread_area | ||
572 | filter_add_blacklist(SYS_set_thread_area, 0); | ||
573 | #endif | ||
574 | #ifdef SYS_tuxcall | ||
575 | filter_add_blacklist(SYS_tuxcall, 0); | ||
576 | #endif | ||
577 | #ifdef SYS_reboot | ||
578 | filter_add_blacklist(SYS_reboot, 0); | ||
579 | #endif | ||
580 | #ifdef SYS_nfsservctl | ||
581 | filter_add_blacklist(SYS_nfsservctl, 0); | ||
582 | #endif | ||
583 | #ifdef SYS_get_kernel_syms | ||
584 | filter_add_blacklist(SYS_get_kernel_syms, 0); | ||
585 | #endif | ||
565 | } | 586 | } |
566 | 587 | ||
567 | // default seccomp filter with additional drop list | 588 | // default seccomp filter with additional drop list |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b773cc146..fa48c55cf 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -257,18 +257,7 @@ void usage(void) { | |||
257 | printf("\t\trunning on the current host.\n\n"); | 257 | printf("\t\trunning on the current host.\n\n"); |
258 | #endif | 258 | #endif |
259 | #ifdef HAVE_SECCOMP | 259 | #ifdef HAVE_SECCOMP |
260 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); | 260 | printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); |
261 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | ||
262 | printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n"); | ||
263 | printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n"); | ||
264 | printf("\t\tsyslog, process_vm_readv and process_vm_writev\n"); | ||
265 | printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n"); | ||
266 | printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n"); | ||
267 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | ||
268 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | ||
269 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | ||
270 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); | ||
271 | printf("\t\tkexec_file_load, chroot.\n\n"); | ||
272 | 261 | ||
273 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 262 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
274 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 263 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ee019a24f..bab596e96 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1112,7 +1112,9 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif | |||
1112 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1112 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1113 | io_destroy, io_getevents, io_submit, io_cancel, | 1113 | io_destroy, io_getevents, io_submit, io_cancel, |
1114 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1114 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1115 | migrate_pages, move_pages, vmsplice, perf_event_open and chroot. | 1115 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, |
1116 | set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture, | ||
1117 | an equivalent 32-bit seccomp filter is also installed. | ||
1116 | .br | 1118 | .br |
1117 | 1119 | ||
1118 | .br | 1120 | .br |