github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #404] Improved strace syscall editing instructions #292

New issue

Closed

opened 2026-05-05 05:32:29 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 05:32:29 -06:00

Owner

Originally created by @ghost on GitHub (Apr 2, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/404

On https://firejail.wordpress.com/documentation-2/seccomp-guide/ the instructions:

We bring strace output (cut&paste) in a text editor and clean it up. We extract a comma-separated list without any blanks, something like:

Prior to now I did not have a method of doing this sanely. It horrifies me to imagine my fellow firejailers editing strace text file output by hand so here is a unix way to help speed this process along. I asked me old friend Awk what he thought would work and after some experimenting we came up with this:

for i in ping ; do strace -qcf $i 2>&1 | awk '{$1=""; $2=""; $3=""; $4=""; sub(" ", " "); print}' ; done

the output has a few extra integers due to an uneven number of columns in every program, it is impossible to fix that but now we can add our syscalls in a nice linear format as stated in:

poll,select,nanosleep,futex,epoll_wait,fadvise64,read,lstat,stat,[...]

This method can save firejailers upwards of maybe 300+ fewer copy and pastes or for some foolhardy newbies editing strace output files with nano. shudder

Originally created by @ghost on GitHub (Apr 2, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/404 On https://firejail.wordpress.com/documentation-2/seccomp-guide/ the instructions: > We bring strace output (cut&paste) in a text editor and clean it up. We extract a comma-separated list without any blanks, something like: Prior to now I did not have a method of doing this sanely. It horrifies me to imagine my fellow firejailers editing strace text file output _by hand_ so here is a unix way to help speed this process along. I asked me old friend Awk what he thought would work and after some experimenting we came up with this: `for i in ping ; do strace -qcf $i 2>&1 | awk '{$1=""; $2=""; $3=""; $4=""; sub(" ", " "); print}' ; done` the output has a few extra integers due to an uneven number of columns in every program, it is impossible to fix that but now we can add our syscalls in a nice linear format as stated in: > poll,select,nanosleep,futex,epoll_wait,fadvise64,read,lstat,stat,[...] This method can save firejailers upwards of maybe 300+ fewer copy and pastes or for some foolhardy newbies editing strace output files with nano. _shudder_

gitea-mirror

2026-05-05 05:32:29 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:32:33 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 2, 2016):

Thanks for the tip, I'll put it in the document.

@netblue30 commented on GitHub (Apr 2, 2016): Thanks for the tip, I'll put it in the document.

gitea-mirror commented

2026-05-05 05:32:35 -06:00

Author

Owner

@ghost commented on GitHub (Apr 2, 2016):

Glad to help. Next up I'm thinking of ways to build a list of each binaries syscall's on a system. It will be something like 1) build a list of all installed packages on a system, 2) apply strace on each line item of the list, 3) append that output to a file and (hopefully) be human readable. A fresh Debian install will have 268 binaries, Ubuntu I forget the exact number but is something like 463. Sure most of those binaries will be useful to run via firejail in all contexts but I would bet that at some point in the future it would be useful for someone, somewhere.

It would even be useful to build a continuous list of these for each generic kernel released by a distribution and vanilla kernel. Uploading a version controlled version of the results (primarily for the benefit to prevent tampering and provide an auditable history) would be a valuable public service but I doubt I have the time to do that myself.

It would be really awesome if upstream distributions applied this model as well as they could apply seccomp restrictions on all the binaries they use before released to the public. Void may be willing to do something like that.

@ghost commented on GitHub (Apr 2, 2016): Glad to help. Next up I'm thinking of ways to build a list of each binaries syscall's on a system. It will be something like 1) build a list of all installed packages on a system, 2) apply strace on each line item of the list, 3) append that output to a file and (hopefully) be human readable. A fresh Debian install will have 268 binaries, Ubuntu I forget the exact number but is something like 463. Sure most of those binaries will be useful to run via firejail in all contexts but I would bet that at some point in the future it would be useful for someone, somewhere. It would even be useful to build a continuous list of these for each generic kernel released by a distribution and vanilla kernel. Uploading a version controlled version of the results (primarily for the benefit to prevent tampering and provide an auditable history) would be a valuable public service but I doubt I have the time to do that myself. It would be really awesome if upstream distributions applied this model as well as they could apply seccomp restrictions on all the binaries they use before released to the public. Void may be willing to do something like that.

gitea-mirror commented

2026-05-05 05:32:38 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 3, 2016):

The problem is as soon as you update the software, the filter changes. Even a simple library used by the process can trigger a filter change. It might work for stable distros like Debian or CentOS.

@netblue30 commented on GitHub (Apr 3, 2016): The problem is as soon as you update the software, the filter changes. Even a simple library used by the process can trigger a filter change. It might work for stable distros like Debian or CentOS.

gitea-mirror commented

2026-05-05 05:32:40 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

@netblue30 Can you add the code snippet to the website? 🙂

@chiraag-nataraj commented on GitHub (Jul 22, 2018): @netblue30 Can you add the code snippet to the website? :slightly_smiling_face:

gitea-mirror commented

2026-05-05 05:32:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 26, 2019):

Any progress here?

@rusty-snake commented on GitHub (May 26, 2019): Any progress here?

gitea-mirror commented

2026-05-05 05:32:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 22, 2019):

@Andrew415 you can use syscalls.sh (#2754)
@netblue30 https://firejail.wordpress.com/documentation-2/seccomp-guide/

Add info about syscalls.sh
On systems with systemd the syslog cmd is journalctl --grep=syscall --follow.

@rusty-snake commented on GitHub (Aug 22, 2019): @Andrew415 you can use syscalls.sh (#2754) @netblue30 https://firejail.wordpress.com/documentation-2/seccomp-guide/ 1. Add info about syscalls.sh 2. On systems with systemd the syslog cmd is `journalctl --grep=syscall --follow`.

gitea-mirror referenced this issue

2026-05-05 10:04:08 -06:00

[PR #292] [CLOSED] Fix building on systems without bash #3586

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#292

No description provided.

Rows
Columns