[GH-ISSUE #1417] Feature: Easier alternative to list of syscalls for --seccomp: add pre-defined syscall groups #962

New issue

Closed

opened 2026-05-05 07:13:29 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 07:13:29 -06:00

Owner

Originally created by @topimiettinen on GitHub (Jul 30, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1417

It's not so easy to use seccomp feature because there are hundreds of system calls to be managed. I'm proposing to add a simpler way to prepare seccomp filters, where the user can construct the filter by
using predefined system call groups or sets. Systemd uses prefix '@' to distinguish system call groups, for example:
@debug: Debugging, performance monitoring and tracing functionality (ptrace(2), perf_event_open(2) and related calls)
@obsolete: Unusual, obsolete or unimplemented (create_module(2), gtty(2), ...)
@privileged: All system calls which need super-user capabilities
@default: built-in default list

For example, a firejail user could simply specify --seccomp=@privileged to blacklist all privileged system calls. This is much easier to use than long list of system calls.

As a bonus, I think such seccomp lists would also simplify firejail design, now the lists of syscalls are somewhat duplicated across default/32/64 vs. sandboxing for fcopy etc. The lists can specify other lists, so for example @default could contain both @privileged and @obsolete.

Originally created by @topimiettinen on GitHub (Jul 30, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1417 It's not so easy to use seccomp feature because there are hundreds of system calls to be managed. I'm proposing to add a simpler way to prepare seccomp filters, where the user can construct the filter by using predefined system call groups or sets. Systemd uses prefix '@' to distinguish system call groups, for example: `@debug`: Debugging, performance monitoring and tracing functionality (`ptrace(2)`, `perf_event_open(2)` and related calls) `@obsolete`: Unusual, obsolete or unimplemented (`create_module(2)`, `gtty(2)`, ...) `@privileged`: All system calls which need super-user capabilities `@default`: built-in default list For example, a firejail user could simply specify `--seccomp=@privileged` to blacklist all privileged system calls. This is much easier to use than long list of system calls. As a bonus, I think such seccomp lists would also simplify firejail design, now the lists of syscalls are somewhat duplicated across default/32/64 vs. sandboxing for fcopy etc. The lists can specify other lists, so for example `@default` could contain both `@privileged `and `@obsolete`.

gitea-mirror

2026-05-05 07:13:29 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:13:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 31, 2017):

Go for it! @default list will also close #1366

@netblue30 commented on GitHub (Jul 31, 2017): Go for it! @default list will also close #1366

gitea-mirror commented

2026-05-05 07:13:35 -06:00

Author

Owner

@topimiettinen commented on GitHub (Aug 7, 2017):

Implemented in 34ee8e03.

@topimiettinen commented on GitHub (Aug 7, 2017): Implemented in 34ee8e03.

gitea-mirror referenced this issue

2026-05-05 10:08:18 -06:00

[PR #962] [MERGED] Correct and tighten QuiteRss profile #3809

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#962

No description provided.

Rows
Columns