[GH-ISSUE #1366] seccomp.keep and seccomp #934

New issue

Closed

opened 2026-05-05 07:11:11 -06:00 by gitea-mirror · 21 comments

gitea-mirror commented 2026-05-05 07:11:11 -06:00

Owner

Copy link

Originally created by @curiosity-seeker on GitHub (Jul 4, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1366

The seccomp guide is very helpful when creating a list of whitelisted syscalls for a specific program. However, I have a comprehension question regarding seccomp.keep:

seccomp blacklists the syscalls in the default list. But when creating a list of whitelisted syscalls it is necessary to add syscalls to seccomp.keep which are not explicitly blacklisted by seccomp. But why?

Wouldn't it be possible to change the behavior of seccomp.keep accordingly? The list(s) of whitelisted syscalls wouldn't be that mile-long anymore, and I think that it would be easier to create new profiles.

But perhaps I'm simply missing a decisive argument.

Originally created by @curiosity-seeker on GitHub (Jul 4, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1366 The [seccomp guide](https://firejail.wordpress.com/documentation-2/seccomp-guide/) is very helpful when creating a list of whitelisted syscalls for a specific program. However, I have a comprehension question regarding `seccomp.keep`: `seccomp` blacklists the syscalls in the [default list](https://github.com/netblue30/firejail/blob/master/src/fseccomp/seccomp.c). But when creating a list of whitelisted syscalls it is necessary to add syscalls to `seccomp.keep` which are **not** explicitly blacklisted by `seccomp`. But why? Wouldn't it be possible to change the behavior of `seccomp.keep` accordingly? The list(s) of whitelisted syscalls wouldn't be that mile-long anymore, and I think that it would be easier to create new profiles. But perhaps I'm simply missing a decisive argument.

gitea-mirror 2026-05-05 07:11:11 -06:00

• closed this issue
• added the
  enhancement
  label

gitea-mirror commented 2026-05-05 07:11:15 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (Jul 28, 2017):

Modifying the seccomp.keep behavior would be really handy. E.g., when I compared the default list with seccomp.keep in my google-chrome profile using the comm utility, I found that only 2 syscalls (chroot and personality) were common in both files. Needless to say that this would make the seccomp.keep line much more overseeable ;-)

On the other hand, additional syscalls were recently added to the default list (and this had happened before). This could mean that possibly many profiles that contain seccomp.keep lines would probably need manual adjustments in order to avoid breakage.

Considering this, I'm tempted to withdraw my proposal unless somebody has an idea for a manageable solution.

<!-- gh-comment-id:318656340 --> @curiosity-seeker commented on GitHub (Jul 28, 2017): Modifying the `seccomp.keep` behavior would be really handy. E.g., when I compared the default list with `seccomp.keep` in my google-chrome profile using the `comm` utility, I found that only 2 syscalls (chroot and personality) were common in both files. Needless to say that this would make the `seccomp.keep` line much more overseeable ;-) On the other hand, additional syscalls were recently added to the default list (and this had happened before). This could mean that possibly many profiles that contain `seccomp.keep` lines would probably need manual adjustments in order to avoid breakage. Considering this, I'm tempted to withdraw my proposal unless somebody has an idea for a manageable solution.

gitea-mirror commented 2026-05-05 07:11:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 28, 2017):

Maybe change behavior of seccomp.keep and seccomp.drop only if seccomp option is present?

For example if seccomp is present, seccomp.keep will only whitelist options, which was blocked by seccomp, and with seccomp.dropyou can block additional syscalls without the need to write syscalls from default list. That way there is no need to break old behavior of seccomp.keep and seccomp.drop.

<!-- gh-comment-id:318711492 --> @ghost commented on GitHub (Jul 28, 2017): Maybe change behavior of `seccomp.keep` and `seccomp.drop` only if `seccomp` option is present? For example if `seccomp` is present, `seccomp.keep` will only whitelist options, which was blocked by `seccomp`, and with `seccomp.drop`you can block additional syscalls without the need to write syscalls from default list. That way there is no need to break old behavior of `seccomp.keep` and `seccomp.drop`.

gitea-mirror commented 2026-05-05 07:11:18 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (Aug 7, 2017):

@netblue30 : You wrote

@default list will also close #1366

How exactly would this work now that syscall groups are implemented?

<!-- gh-comment-id:320637434 --> @curiosity-seeker commented on GitHub (Aug 7, 2017): @netblue30 : You [wrote](https://github.com/netblue30/firejail/issues/1417#issuecomment-319040648) > @default list will also close #1366 How exactly would this work now that syscall groups are implemented?

gitea-mirror commented 2026-05-05 07:11:19 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (Aug 22, 2017):

May I ask again how the syscall groups are helpful in this case?

In the example above concerning google-chrome where only 2 whitelisted syscalls are part of the @default list - how would the existence of those groups help to create a list of whitelisted syscalls?

Sorry, if I might be missing something obvious ....

<!-- gh-comment-id:324054069 --> @curiosity-seeker commented on GitHub (Aug 22, 2017): May I ask again how the syscall groups are helpful in this case? In the example above concerning google-chrome where only 2 whitelisted syscalls are part of the @default list - how would the existence of those groups help to create a list of whitelisted syscalls? Sorry, if I might be missing something obvious ....

gitea-mirror commented 2026-05-05 07:11:20 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Aug 22, 2017):

I think the syscall groups are somewhat orthogonal to this feature request, but you may be able to construct the filter you want with the groups more easily than with a long list of syscalls.

With systemd's SystemCallFilter directive it's possible to combine blacklists and whitelists. Maybe something similar could be added.

<!-- gh-comment-id:324105760 --> @topimiettinen commented on GitHub (Aug 22, 2017): I think the syscall groups are somewhat orthogonal to this feature request, but you may be able to construct the filter you want with the groups more easily than with a long list of syscalls. With systemd's [SystemCallFilter](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter) directive it's possible to combine blacklists and whitelists. Maybe something similar could be added.

gitea-mirror commented 2026-05-05 07:11:22 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

@topimiettinen What do you think the syntax would look like? Something like seccomp @default-keep,!keyctl would blacklist everything in @default-keep except keyctl maybe?

<!-- gh-comment-id:406892220 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): @topimiettinen What do you think the syntax would look like? Something like `seccomp @default-keep,!keyctl` would blacklist everything in `@default-keep` _except_ `keyctl` maybe?

gitea-mirror commented 2026-05-05 07:11:24 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Jul 22, 2018):

Something like that, or combinations of multiple lines of seccomp, seccomp.keep and seccomp.drop could be allowed.

<!-- gh-comment-id:406896207 --> @topimiettinen commented on GitHub (Jul 22, 2018): Something like that, or combinations of multiple lines of `seccomp`, `seccomp.keep` and `seccomp.drop` could be allowed.

gitea-mirror commented 2026-05-05 07:11:26 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

@netblue30 What do you think?

<!-- gh-comment-id:406899727 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): @netblue30 What do you think?

gitea-mirror commented 2026-05-05 07:11:27 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 24, 2018):

We can go either way:

1. seccomp @default-keep,!keyctl
2. multiple lines of seccomp, seccomp.keep and seccomp.drop

Or we can even implement both, today a seccomp.keep line is several hundreds chars long.

<!-- gh-comment-id:407466540 --> @netblue30 commented on GitHub (Jul 24, 2018): We can go either way: 1. seccomp @default-keep,!keyctl 2. multiple lines of seccomp, seccomp.keep and seccomp.drop Or we can even implement both, today a seccomp.keep line is several hundreds chars long.

gitea-mirror commented 2026-05-05 07:11:29 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

@netblue30 Have we made any progress on this?

<!-- gh-comment-id:494033936 --> @chiraag-nataraj commented on GitHub (May 20, 2019): @netblue30 Have we made any progress on this?

gitea-mirror commented 2026-05-05 07:11:30 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (May 20, 2019):

@chiraag-nataraj : Thanks for bringing this up again!

Adding to this the issue - mentioned by myself elsewhere - that the syscall groups are nowhere readily defined (I'm sure they are somewhere deep in the source code) so actually using them is rather difficult ...

<!-- gh-comment-id:494039502 --> @curiosity-seeker commented on GitHub (May 20, 2019): @chiraag-nataraj : Thanks for bringing this up again! Adding to this the issue - mentioned by myself elsewhere - that the syscall groups are nowhere readily defined (I'm sure they are somewhere deep in the source code) so actually using them is rather difficult ...

gitea-mirror commented 2026-05-05 07:11:31 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (May 20, 2019):

I recently proposed this elsewhere:

Maybe tweak seccomp rule to allow defining firejail defaults +/- a chosen syscall,
like seccomp +chroot?

<!-- gh-comment-id:494069645 --> @Vincent43 commented on GitHub (May 20, 2019): I recently proposed this [elsewhere](https://github.com/netblue30/firejail/issues/2669#issuecomment-489606847): > Maybe tweak seccomp rule to allow defining firejail defaults +/- a chosen syscall, > like seccomp +chroot?

gitea-mirror commented 2026-05-05 07:11:32 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

Cool, let's move discussion of this over to #2669.

<!-- gh-comment-id:494083316 --> @chiraag-nataraj commented on GitHub (May 20, 2019): Cool, let's move discussion of this over to #2669.

gitea-mirror commented 2026-05-05 07:11:33 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (May 20, 2019):

@chiraag-nataraj actually I think this issue is better focused on seccomp tweaks. The other one could be fixed if we find solution here.

<!-- gh-comment-id:494096707 --> @Vincent43 commented on GitHub (May 20, 2019): @chiraag-nataraj actually I think this issue is better focused on seccomp tweaks. The other one could be fixed if we find solution here.

gitea-mirror commented 2026-05-05 07:11:35 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

Okay! Let's keep this open then.

<!-- gh-comment-id:494116940 --> @chiraag-nataraj commented on GitHub (May 20, 2019): Okay! Let's keep this open then.

gitea-mirror commented 2026-05-05 07:11:35 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 22, 2019):

that the syscall groups are nowhere readily defined

@curiosity-seeker https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt

<!-- gh-comment-id:523902336 --> @rusty-snake commented on GitHub (Aug 22, 2019): > that the syscall groups are nowhere readily defined @curiosity-seeker https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt

gitea-mirror commented 2026-05-05 07:11:36 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (Aug 23, 2019):

@rusty-snake : Thank you very much! I had noticed it before - very cool, indeed!

<!-- gh-comment-id:524388374 --> @curiosity-seeker commented on GitHub (Aug 23, 2019): @rusty-snake : Thank you very much! I had noticed it before - very cool, indeed!

gitea-mirror commented 2026-05-05 07:11:37 -06:00

Author

Owner

Copy link

@curiosity-seeker commented on GitHub (Aug 23, 2019):

Is there any progress regarding the original issue and the ideas mentioned by @topimiettinen and @chiraag-nataraj ?

<!-- gh-comment-id:524389839 --> @curiosity-seeker commented on GitHub (Aug 23, 2019): Is there any progress regarding the original issue and the ideas mentioned by @topimiettinen and @chiraag-nataraj ?

gitea-mirror commented 2026-05-05 07:11:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 23, 2019):

My Thinking to that ...

seccomp.drop: used to only block listed syscalls (like blacklist for files) -- no changes
seccomp.block-secondary: used to block syscalls for other archs -- no changes
seccomp.keep: block all syscalls not listed (never used in profiles) -- no changes
seccomp: used to block a default list of syscalls (and listed) -- changes wouldn't be break much.

<!-- gh-comment-id:524413014 --> @rusty-snake commented on GitHub (Aug 23, 2019): My Thinking to that ... `seccomp.drop`: used to only block listed syscalls (like blacklist for files) -- no changes `seccomp.block-secondary`: used to block syscalls for other archs -- no changes `seccomp.keep`: block all syscalls not listed (never used in profiles) -- no changes `seccomp`: used to block a default list of syscalls (and listed) -- changes wouldn't be break much.

gitea-mirror commented 2026-05-05 07:11:38 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Aug 24, 2019):

No progress, but here are further ideas 😃

• command line option to discover seccomp groups: seccomp.show @default
• copy further system call group ideas from systemd: @aio @basic-io @file-system @io-event @ipc @keyring @memlock @network-io @process @signal @sync @system-service @timer. These are mostly unprivileged system calls and thus they could be more useful for user applications than current groups, which contain mostly privileged system calls.

<!-- gh-comment-id:524528925 --> @topimiettinen commented on GitHub (Aug 24, 2019): No progress, but here are further ideas :smiley: - command line option to discover seccomp groups: `seccomp.show @default` - copy further system call group ideas from systemd: `@aio @basic-io @file-system @io-event @ipc @keyring @memlock @network-io @process @signal @sync @system-service @timer`. These are mostly unprivileged system calls and thus they could be more useful for user applications than current groups, which contain mostly privileged system calls.

gitea-mirror commented 2026-05-05 07:11:39 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Aug 25, 2019):

I've implemented the further systemd groups in PR #2928.

<!-- gh-comment-id:524647256 --> @topimiettinen commented on GitHub (Aug 25, 2019): I've implemented the further systemd groups in PR #2928.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#934

No description provided.