[GH-ISSUE #1] Modify seccomp arguments in profile config for more flexibility #1

New issue

Closed

opened 2026-05-05 04:42:03 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 04:42:03 -06:00

Owner

Copy link

Originally created by @boltronics on GitHub (Aug 9, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1

At the time of writing, firejail supports:

       seccomp
              Enable default seccomp filter.

       seccomp syscall,syscall,syscall
              Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.

       seccomp.drop syscall,syscall,syscall
              Enable seccomp filter and blacklist  the system calls in the list.

       seccomp.keep syscall,syscall,syscall
              Enable seccomp filter and whitelist the system calls in the list.

What I actually want is the default seccomp filter, with some additional system calls on top of the default seccomp filter. Additionally, I might want to remove some system calls in the same profile. To facilitate this functionality, I suggest changing the second seccomp usage option to work like follows:

       seccomp -syscall,-syscall,-syscall,+syscall,+syscall,+syscall
              Enable seccomp filter and whitelist and/or blacklist additional system calls in the list on top of the default seccomp filter.

Regardless of how the information is specified in the profile, it would be very helpful to somehow just say "use the default filter +/- these other system calls". This should cut down the work required for people following the Firejail Seccomp Guide.

Originally created by @boltronics on GitHub (Aug 9, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/1 At the time of writing, firejail supports: ``` seccomp Enable default seccomp filter. seccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. seccomp.drop syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list. seccomp.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list. ``` What I actually want is the default seccomp filter, with some additional system calls on top of the default seccomp filter. Additionally, I might want to remove some system calls in the same profile. To facilitate this functionality, I suggest changing the second seccomp usage option to work like follows: ``` seccomp -syscall,-syscall,-syscall,+syscall,+syscall,+syscall Enable seccomp filter and whitelist and/or blacklist additional system calls in the list on top of the default seccomp filter. ``` Regardless of how the information is specified in the profile, it would be very helpful to somehow just say "use the default filter +/- these other system calls". This should cut down the work required for people following the [Firejail Seccomp Guide](https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/).

gitea-mirror 2026-05-05 04:42:03 -06:00

• closed this issue
• added the
  enhancement
  label

gitea-mirror commented 2026-05-05 04:42:11 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Aug 11, 2015):

What I actually want is the default seccomp filter, with some additional system calls on top of the default seccomp filter.

This is exactly what "seccomp syscall,syscall,syscall". It takes the default filter and adds "syscall,syscall,syscall".

"use the default filter +/- these other system calls"

I'll leave this open as an enhancement for now.

<!-- gh-comment-id:129843320 --> @netblue30 commented on GitHub (Aug 11, 2015): > What I actually want is the default seccomp filter, with some additional system calls on top of the default seccomp filter. This is exactly what "seccomp syscall,syscall,syscall". It takes the default filter and adds "syscall,syscall,syscall". > "use the default filter +/- these other system calls" I'll leave this open as an enhancement for now.

gitea-mirror commented 2026-05-05 04:42:18 -06:00

Author

Owner

Copy link

@boltronics commented on GitHub (Aug 11, 2015):

This is exactly what "seccomp syscall,syscall,syscall". It takes the default filter and adds
"syscall,syscall,syscall".

Sorry - I wasn't very clear. By "with some additional system calls on top of the default seccomp filter", I meant I wanted to allow additional system calls - so effectively it would unblock something the default filter has blocked. I think that's likely to be a more common scenario, as most people would go with the defaults, and then adjust them if they don't work. If they don't work, permissions will need to be relaxed, not tightened.

<!-- gh-comment-id:129877300 --> @boltronics commented on GitHub (Aug 11, 2015): > This is exactly what "seccomp syscall,syscall,syscall". It takes the default filter and adds > "syscall,syscall,syscall". Sorry - I wasn't very clear. By "with some additional system calls on top of the default seccomp filter", I meant I wanted to allow additional system calls - so effectively it would unblock something the default filter has blocked. I think that's likely to be a more common scenario, as most people would go with the defaults, and then adjust them if they don't work. If they don't work, permissions will need to be relaxed, not tightened.

gitea-mirror commented 2026-05-05 04:42:22 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Aug 11, 2015):

I'll have to think about it, thanks.

<!-- gh-comment-id:129921801 --> @netblue30 commented on GitHub (Aug 11, 2015): I'll have to think about it, thanks.

gitea-mirror commented 2026-05-05 04:42:24 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Sep 26, 2015):

I am dropping it. It complicates the code to much.

<!-- gh-comment-id:143456638 --> @netblue30 commented on GitHub (Sep 26, 2015): I am dropping it. It complicates the code to much.

gitea-mirror referenced this issue 2026-05-05 05:06:26 -06:00

[GH-ISSUE #175] using links in sandboxed firefox #121

gitea-mirror referenced this issue 2026-05-05 05:21:11 -06:00

[GH-ISSUE #313] Firejail and libpng / setjmp(png_jmpbuf) (cannot save PNG) #221

gitea-mirror referenced this issue 2026-05-05 05:24:03 -06:00

[GH-ISSUE #339] scp / sftp does not work while firejail as a shell #239

gitea-mirror referenced this issue 2026-05-05 05:38:57 -06:00

[GH-ISSUE #493] freshly installed debian sid - firejail not working #347

gitea-mirror referenced this issue 2026-05-05 06:53:31 -06:00

[GH-ISSUE #1185] systemd/firejail interaction #812

gitea-mirror referenced this issue 2026-05-05 06:56:58 -06:00

[GH-ISSUE #1230] sftp problem #837

gitea-mirror referenced this issue 2026-05-05 06:57:28 -06:00

[GH-ISSUE #1237] Pulseaudio 10.0 with Firefox not working with 0.9.44.10 on PCLinuxOS KDE 64-bit #843

gitea-mirror referenced this issue 2026-05-05 07:25:52 -06:00

[GH-ISSUE #1615] Enabling AppArmor support for Chrome disables hardware accelerated rendering #1081

gitea-mirror referenced this issue 2026-05-05 07:55:43 -06:00

[GH-ISSUE #2018] Cannot run Geary 0.12.2-1 #1357

gitea-mirror referenced this issue 2026-05-05 08:07:50 -06:00

[GH-ISSUE #2176] sshd works within chroot, but not firejail chroot #1466

gitea-mirror referenced this issue 2026-05-05 08:12:32 -06:00

[GH-ISSUE #2321] netfilter-default in firejail.config does not appear to be working #1548

gitea-mirror referenced this issue 2026-05-05 08:19:27 -06:00

[GH-ISSUE #2662] 'sudo firejail --apparmor' = Root shell #1676

gitea-mirror referenced this issue 2026-05-05 08:31:42 -06:00

[GH-ISSUE #2969] whitelist/blacklist nesting + private-bin #1855

gitea-mirror referenced this issue 2026-05-05 08:34:29 -06:00

[GH-ISSUE #3045] Ping Broken #1910

gitea-mirror referenced this issue 2026-05-05 08:34:32 -06:00

[GH-ISSUE #3045] Ping Broken #1910

gitea-mirror referenced this issue 2026-05-05 08:58:30 -06:00

[GH-ISSUE #3633] chromium-privacy-browser: program does not start #2285

gitea-mirror referenced this issue 2026-05-05 08:59:44 -06:00

[GH-ISSUE #3663] Unable to whitelist steamapps when using --private #2305

gitea-mirror referenced this issue 2026-05-05 09:01:53 -06:00

[GH-ISSUE #3724] [abrt] firejail: iopl(): faudit killed by SIGSYS #2345

gitea-mirror referenced this issue 2026-05-05 09:19:33 -06:00

[GH-ISSUE #4418] nosound in firefox #2664

gitea-mirror referenced this issue 2026-05-05 09:27:12 -06:00

[GH-ISSUE #4882] firefox: cannot play Netflix/widevine with VPN on #2797

gitea-mirror referenced this issue 2026-05-05 09:32:08 -06:00

[GH-ISSUE #5094] telegram: fcopy: invalid ownership for file /usr/bin/telegram #2877

gitea-mirror referenced this issue 2026-05-05 09:56:16 -06:00

[GH-ISSUE #6744] simple-scan: cannot open "save file" dialog #3355

gitea-mirror referenced this issue 2026-05-05 10:08:24 -06:00

[PR #979] [MERGED] Correct skanlite.profile #3812

gitea-mirror referenced this issue 2026-05-05 10:08:35 -06:00

[PR #1010] [MERGED] Don't touch aliases #3823

gitea-mirror referenced this issue 2026-05-05 10:09:13 -06:00

[PR #1152] [MERGED] blacklist X11 startup scripts #3857

gitea-mirror referenced this issue 2026-05-05 10:12:33 -06:00

[PR #1617] [CLOSED] Merge pull request #1 from netblue30/master #4035

gitea-mirror referenced this issue 2026-05-05 10:14:51 -06:00

[PR #2054] [CLOSED] firefox-beta #4159

gitea-mirror referenced this issue 2026-05-05 10:27:16 -06:00

[PR #3603] [MERGED] New profiles for balsa,trojita,kube #4826

gitea-mirror referenced this issue 2026-05-05 10:33:38 -06:00

[PR #4513] [CLOSED] telegram: Enable private-bin #5175

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1

No description provided.