From 4fbb2936ebf02760c8475f392da2ba29c35ae22a Mon Sep 17 00:00:00 2001 From: James Elford Date: Wed, 7 Feb 2018 07:37:44 +0000 Subject: Add seccomp filters for remmina, from an strace session connecting via RDP --- etc/remmina.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/remmina.profile b/etc/remmina.profile index 3bb6aa0b1..fe429c32c 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile @@ -22,7 +22,7 @@ noroot notv novideo protocol unix,inet,inet6 -seccomp +seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev shell none private-dev -- cgit v1.2.3-54-g00ecf From 058942d16d58eab08aac8ad1b5ce2e1c82ed27c8 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 11 Feb 2018 14:17:02 +0100 Subject: keep remmina seccomp whitelist opt-in --- etc/remmina.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/remmina.profile b/etc/remmina.profile index fe429c32c..bef6376c6 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile @@ -22,7 +22,8 @@ noroot notv novideo protocol unix,inet,inet6 -seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev +seccomp +# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev shell none private-dev -- cgit v1.2.3-54-g00ecf