aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/syscall.c
Commit message (Collapse)AuthorAge
* update copyright 2024Libravatar netblue302024-01-12
|
* Fix wrong syscall names for s390_pci_mmio_{read,write}Libravatar Topi Miettinen2023-08-26
| | | | Closes #5965
* Update copyright to 2023 (#5664)Libravatar David Fetter2023-02-15
|
* refresh syscall groups (#5188)Libravatar smitsohu2022-07-17
| | | | | | | | | | | | now covers syscalls up to including process_madvise (440) group assignment was blindly copied from systemd: https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305 the only exception is close_range, which was added to both @basic-io and @file-system this commit adds the following syscalls to the default blacklist: pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
* fix: some firejail output goes to stdout instead of stderr #4328Libravatar netblue302022-01-21
|
* 2022 copyright updateLibravatar netblue302022-01-07
|
* remove kcmp from seccomp default drop list (#3219)Libravatar smitsohu2021-06-26
|
* copyright updateLibravatar startx20172021-02-15
|
* add support for faccessat2 syscallLibravatar glitsj162021-02-10
|
* join: misc improvementsLibravatar smitsohu2021-01-06
| | | | | | | | | * don't mess with umask of root, it could be more strict than user umask and relaxing it may catch root by surprise * join needs execveat syscall, need to drop it post-exec * make things more explicit
* #3106-1, include @mount in @default insted of all the syscallsLibravatar rusty-snake2020-09-01
|
* Add 32bit ARM syscallsLibravatar Andrew Branson2020-04-15
|
* Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* seccomp: allow defining separate filters for 32-bit archLibravatar Topi Miettinen2020-03-28
System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 21:56:22 +0000