remove kcmp from seccomp default drop list (#3219)

2026-05-21 06:45:29 -06:00 · 2021-06-26 16:43:49 +02:00 · 2021-06-26 16:43:49 +02:00 · 533a57ebe1
commit 533a57ebe1
parent 43fb38e18e
3 changed files with 2 additions and 4 deletions
--- a/1
+++ b/1
@ -5,6 +5,7 @@ firejail (0.9.65) baseline; urgency=low
  * new firejail.config settings: private-opt, private-srv
  * new firejail.config settings: whitelist-disable-topdir
  * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@ -33,7 +33,7 @@ Definition of groups
@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
@default-nodebuggers=@default,ptrace,personality,process_vm_readv
@default-keep=execveat,execve,prctl
@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
 	  "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-	  "kcmp,"
-#endif
 #ifdef SYS_add_key
 	  "add_key,"
 #endif