Feature: allow any syscall to be blacklisted with aid of LD_PRELOAD library

[topimiettinen]

Currently Firejail can't let seccomp filters block certain system calls because they are used later by Firejail itself after installing the seccomp filter. But Firejail could install a LD_PRELOADed shared library (like libtrace and libtracelog), which would install a seccomp filter for these remaining system calls, in case they are specified by seccomp.drop etc. For example, blocking execve would be very useful. The protection given with this late filter would not be as tight as with the filter installed earlier because some shared libraries may have a chance to run before even a library constructor is run, but the main application would still be fully controlled.

[netblue30]

This would be very cool, give it a try!

[Ferroin]

On the note of exec calls specifically, you may find noexec helpful as a starting point.

[topimiettinen]

@Ferroin: noexec library just overrides libc symbols. That works to a degree, but it can be circumvented. Blocking with a seccomp filter is much more robust.