Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

augment seccomp lists in firejail.config #4340

Merged
merged 3 commits into from
Jun 26, 2021
Merged

Conversation

smitsohu
Copy link
Collaborator

@smitsohu smitsohu commented Jun 5, 2021

Contributes to #3219.

I didn't know where to put kcmp, so still no full solution.

@smitsohu

This comment has been minimized.

@smitsohu smitsohu force-pushed the kcmp branch 2 times, most recently from da0f6dd to 00ffa72 Compare June 5, 2021 23:18
@smitsohu smitsohu marked this pull request as ready for review June 5, 2021 23:23
Copy link
Collaborator

@topimiettinen topimiettinen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice idea! This allows the local admin or distro to make changes which may not make sense for others.

Copy link
Collaborator

@topimiettinen topimiettinen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Command line version would be nice and of course documentation is a must. Otherwise looks great.

src/firejail/checkcfg.c Outdated Show resolved Hide resolved
@topimiettinen
Copy link
Collaborator

There is still a bug, where removing syscalls leads to empty seccomp lists (and these are not allowed). I'll add a minimal fix.

Perhaps the empty seccomp lists could be forbidden when user specifies them but allowed for internal use (or when the architecture specific version is empty etc).

@smitsohu
Copy link
Collaborator Author

Command line version would be nice

Command line version exists already: --seccomp=

and of course documentation is a must

Done.

Unlrelated to the changed code, I moved some parts of --seccomp documentation to --seccomp= because I had the impression it fits better there.

Perhaps the empty seccomp lists could be forbidden when user specifies them but allowed for internal use (or when the architecture specific version is empty etc).

Done (for default+drop list).

@smitsohu smitsohu force-pushed the kcmp branch 9 times, most recently from 440fc13 to 3df84cf Compare June 18, 2021 18:21
* move everything related to modification
of the default seccomp filter from --seccomp
to --seccomp= entry

* update errno descriptions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants