From 511cad9ed24a544f607193d74bfef8a449fe3a0b Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sun, 25 Aug 2019 19:12:00 +0200 Subject: Use new seccomp syntax from #2926 --- etc/akregator.profile | 2 +- etc/bibletime.profile | 2 +- etc/falkon.profile | 2 +- etc/firefox-common.profile | 2 +- etc/kiwix-desktop.profile | 2 +- etc/qutebrowser.profile | 2 +- etc/skypeforlinux.profile | 2 +- etc/start-tor-browser.profile | 2 +- etc/teamspeak3.profile | 2 +- etc/torbrowser-launcher.profile | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -36,7 +36,7 @@ nou2f novideo protocol unix,inet,inet6,netlink # chroot syscalls are needed for setting up the built-in sandbox -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -42,7 +42,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/falkon.profile b/etc/falkon.profile index ddcda6228..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile @@ -34,7 +34,7 @@ notv nou2f protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks falkon -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog private-dev diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -46,7 +46,7 @@ notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. #tracelog diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile index db8f7880c..8b7b12882 100644 --- a/etc/kiwix-desktop.profile +++ b/etc/kiwix-desktop.profile @@ -39,7 +39,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index a7ba18292..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -36,5 +36,5 @@ noroot notv protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks qt webengine -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot # tracelog diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 8a45f2465..fe9ededa4 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -25,7 +25,7 @@ nonewprivs noroot notv protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -28,7 +28,7 @@ notv nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index b34d15731..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -33,7 +33,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none disable-mnt diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 8485c0c4c..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -42,7 +42,7 @@ notv nou2f novideo protocol unix,inet,inet6 -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +seccomp !chroot shell none # tracelog may cause issues, see github issue #1930 #tracelog -- cgit v1.2.3-70-g09d2