github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-22 06:05:38 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions

removed mknod from default seccomp filter, some software packages are using named pipes created with mknod

Browse source
This commit is contained in:
netblue30 2015-08-16 15:43:50 -04:00
parent 8f676d5999
commit 3bfb00f627
4 changed files with 8 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/firejail/seccomp.c
View file

@ -452,9 +452,11 @@ int seccomp_filter_drop(void) {
#ifdef SYS_process_vm_writev
filter_add_blacklist(SYS_process_vm_writev);
#endif
#ifdef SYS_mknod
filter_add_blacklist(SYS_mknod);
#endif
// mknod removed in 0.9.29
//#ifdef SYS_mknod
// filter_add_blacklist(SYS_mknod);
//#endif
// new syscalls in 0.9,23
#ifdef SYS_sysfs

2
src/firejail/usage.c
View file

@ -190,7 +190,7 @@ void usage(void) {
printf("\t\tlist. The default list is as follows: mount, umount2,\n");
printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
printf("\t\tmknode, syslog, process_vm_readv and process_vm_writev\n");
printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n");

2
src/man/firejail-profile.txt
View file

@ -106,7 +106,7 @@ Whitelist Linux capabilities filter.
\f\seccomp
Enable default seccomp filter. The default list is as follows:
mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
.TP
\f\seccomp syscall,syscall,syscall

2
src/man/firejail.txt
View file

@ -742,7 +742,7 @@ $ firejail \-\-net=eth0 \-\-scan
\fB\-\-seccomp
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
.br