From 475cb76e5a3a5091cfe9587875c71e757e1aced7 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Wed, 26 Feb 2020 23:01:18 +0100
Subject: minor sbox hardening

blacklist process_vm_readv and process_vm_writev
while we're at it also remove duplicate iopl blacklisting
---
 src/firejail/sbox.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index c3b68f3a8..0c7b13f1c 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -53,11 +53,17 @@ static struct sock_filter filter[] = {
 #ifdef SYS_ptrace
 	BLACKLIST(SYS_ptrace), // trace processes
 #endif
+#ifdef SYS_process_vm_readv
+	BLACKLIST(SYS_process_vm_readv),
+#endif
+#ifdef SYS_process_vm_writev
+	BLACKLIST(SYS_process_vm_writev),
+#endif
 #ifdef SYS_kexec_file_load
-	BLACKLIST(SYS_kexec_file_load),
+	BLACKLIST(SYS_kexec_file_load), // loading a different kernel
 #endif
 #ifdef SYS_kexec_load
-	BLACKLIST(SYS_kexec_load), // loading a different kernel
+	BLACKLIST(SYS_kexec_load),
 #endif
 #ifdef SYS_name_to_handle_at
 	BLACKLIST(SYS_name_to_handle_at),
@@ -83,9 +89,6 @@ static struct sock_filter filter[] = {
 #ifdef 	SYS_ioperm
 	BLACKLIST(SYS_ioperm),
 #endif
-#ifdef SYS_iopl
-	BLACKLIST(SYS_iopl), // io permissions
-#endif
 #ifdef 	SYS_ioprio_set
 	BLACKLIST(SYS_ioprio_set),
 #endif
-- 
cgit v1.2.3-54-g00ecf