From 3bfb00f627f5d4ff6879d886165fb751868527b0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 16 Aug 2015 15:43:50 -0400
Subject: removed mknod from default seccomp filter, some software packages are
 using named pipes created with mknod

---
 src/firejail/seccomp.c       | 8 +++++---
 src/firejail/usage.c         | 2 +-
 src/man/firejail-profile.txt | 2 +-
 src/man/firejail.txt         | 2 +-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index c03eb6848..d00a335c6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -452,9 +452,11 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_process_vm_writev		
 		filter_add_blacklist(SYS_process_vm_writev);
 #endif
-#ifdef SYS_mknod		
-		filter_add_blacklist(SYS_mknod);
-#endif
+
+// mknod removed in 0.9.29
+//#ifdef SYS_mknod		
+//		filter_add_blacklist(SYS_mknod);
+//#endif
 		
 		// new syscalls in 0.9,23		
 #ifdef SYS_sysfs		
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9aeb5895d..3afe5580f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -190,7 +190,7 @@ void usage(void) {
 	printf("\t\tlist. The default list is as follows: mount, umount2,\n");
 	printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
 	printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
-	printf("\t\tmknode, syslog, process_vm_readv and process_vm_writev\n");
+	printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
 	printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
 	printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n");
 	
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4941d8b8b..7be5304c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -106,7 +106,7 @@ Whitelist Linux capabilities filter.
 \f\seccomp
 Enable default seccomp filter.  The default list is as follows:
 mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \f\seccomp syscall,syscall,syscall
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3e399db72..0b7ed1434 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -742,7 +742,7 @@ $ firejail \-\-net=eth0 \-\-scan
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
 mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .br
 
-- 
cgit v1.2.3-54-g00ecf