You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Firejail can't let seccomp filters block certain system calls because they are used later by Firejail itself after installing the seccomp filter. But Firejail could install a LD_PRELOADed shared library (like libtrace and libtracelog), which would install a seccomp filter for these remaining system calls, in case they are specified by seccomp.drop etc. For example, blocking execve would be very useful. The protection given with this late filter would not be as tight as with the filter installed earlier because some shared libraries may have a chance to run before even a library constructor is run, but the main application would still be fully controlled.
The text was updated successfully, but these errors were encountered:
@Ferroin: noexec library just overrides libc symbols. That works to a degree, but it can be circumvented. Blocking with a seccomp filter is much more robust.
Currently Firejail can't let seccomp filters block certain system calls because they are used later by Firejail itself after installing the seccomp filter. But Firejail could install a LD_PRELOADed shared library (like libtrace and libtracelog), which would install a seccomp filter for these remaining system calls, in case they are specified by seccomp.drop etc. For example, blocking execve would be very useful. The protection given with this late filter would not be as tight as with the filter installed earlier because some shared libraries may have a chance to run before even a library constructor is run, but the main application would still be fully controlled.
The text was updated successfully, but these errors were encountered: