Skip to content

Commit

Permalink
sbox: improve seccomp blacklist
Browse files Browse the repository at this point in the history
  • Loading branch information
@smitsohu
smitsohu committed May 9, 2023
1 parent 9d9114c commit e55c3bf
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions src/firejail/sbox.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
#ifdef SYS_umount2
BLACKLIST(SYS_umount2),
#endif
#ifdef SYS_fsopen
BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019
#endif
#ifdef SYS_fsconfig
BLACKLIST(SYS_fsconfig),
#endif
#ifdef SYS_fsmount
BLACKLIST(SYS_fsmount),
#endif
#ifdef SYS_move_mount
BLACKLIST(SYS_move_mount),
#endif
#ifdef SYS_fspick
BLACKLIST(SYS_fspick),
#endif
#ifdef SYS_open_tree
BLACKLIST(SYS_open_tree),
#endif
#ifdef SYS_ptrace
BLACKLIST(SYS_ptrace), // trace processes
#endif
Expand Down Expand Up @@ -185,6 +203,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
#endif
#ifdef SYS_syslog
BLACKLIST(SYS_syslog), // kernel printk control
#endif
#ifdef SYS_personality
BLACKLIST(SYS_personality), // execution domain
#endif
RETURN_ALLOW
};
Expand Down

0 comments on commit e55c3bf

Please sign in to comment.