From 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 14 Mar 2020 00:07:06 +0200 Subject: seccomp: allow defining separate filters for 32-bit arch System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen --- src/man/firejail-profile.txt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'src/man/firejail-profile.txt') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9af25bf63..511194ff3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -386,19 +386,31 @@ first argument to socket system call. Recognized values: \fBunix\fR, \fBseccomp Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. .TP +\fBseccomp.32 +Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. +.TP \fBseccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. .TP +\fBseccomp.32 syscall,syscall,syscall +Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. +.TP \fBseccomp.block-secondary Enable seccomp filter and filter system call architectures so that only the native architecture is allowed. .TP \fBseccomp.drop syscall,syscall,syscall -Enable seccomp filter and blacklist the system calls in the list. +Enable seccomp filter and blacklist the system calls in the list. +.TP +\fBseccomp.32.drop syscall,syscall,syscall +Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. .TP \fBseccomp.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list. .TP +\fBseccomp.32.keep syscall,syscall,syscall +Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. +.TP \fBx11 Enable X11 sandboxing. .TP -- cgit v1.2.3-70-g09d2