From 75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 2 Aug 2017 08:42:25 -0400 Subject: get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break playing youtube videos on Firefox Nightly - #1414 --- README.md | 3 +++ src/fseccomp/seccomp.c | 10 +++++++--- src/fseccomp/seccomp_secondary.c | 8 ++++++-- src/man/firejail.txt | 2 +- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cd432f05b..abccc2b4d 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,9 @@ pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default. +get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break +playing youtube videos on Firefox Nightly. + ## New profiles: diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7d2ccbbce..a30a9e00b 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -162,9 +162,13 @@ static void add_default_list(int fd, int allow_debuggers) { #ifdef SYS_mbind filter_add_blacklist(fd, SYS_mbind, 0); #endif -#ifdef SYS_get_mempolicy - filter_add_blacklist(fd, SYS_get_mempolicy, 0); -#endif + +// breaking Firefox nightly when playing youtube videos +// TODO: test again when firefox sandbox is finally released +//#ifdef SYS_get_mempolicy +// filter_add_blacklist(fd, SYS_get_mempolicy, 0); +//#endif + #ifdef SYS_set_mempolicy filter_add_blacklist(fd, SYS_set_mempolicy, 0); #endif diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 8270b7018..fceb2c3ec 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c @@ -67,7 +67,9 @@ void seccomp_secondary_64(const char *fname) { BLACKLIST(210), // io_cancel BLACKLIST(216), // remap_file_pages BLACKLIST(237), // mbind - BLACKLIST(239), // get_mempolicy +// breaking Firefox nightly when playing youtube videos +// TODO: test again when firefox sandbox is finally released +// BLACKLIST(239), // get_mempolicy BLACKLIST(238), // set_mempolicy BLACKLIST(256), // migrate_pages BLACKLIST(279), // move_pages @@ -148,7 +150,9 @@ void seccomp_secondary_32(const char *fname) { BLACKLIST(249), // io_cancel BLACKLIST(257), // remap_file_pages BLACKLIST(274), // mbind - BLACKLIST(275), // get_mempolicy +// breaking Firefox nightly when playing youtube videos +// TODO: test again when firefox sandbox is finally released +// BLACKLIST(275), // get_mempolicy BLACKLIST(276), // set_mempolicy BLACKLIST(294), // migrate_pages BLACKLIST(317), // move_pages diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3a5e8560c..af2724aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1488,7 +1488,7 @@ iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, -remap_file_pages, mbind, get_mempolicy, set_mempolicy, +remap_file_pages, mbind, set_mempolicy, migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl, get_kernel_syms, bpf, clock_settime, personality, process_vm_writev, query_module, -- cgit v1.2.3-70-g09d2