Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

augment seccomp lists in firejail.config #4340

Merged
merged 3 commits into from
Jun 26, 2021
Merged

augment seccomp lists in firejail.config #4340

merged 3 commits into from
Jun 26, 2021

Conversation

smitsohu
Copy link
Collaborator

@smitsohu smitsohu commented Jun 5, 2021

Contributes to #3219.

I didn't know where to put kcmp, so still no full solution.

@smitsohu smitsohu marked this pull request as draft June 5, 2021 20:29
@smitsohu

This comment has been minimized.

Sign in to view
@smitsohu smitsohu force-pushed the kcmp branch 2 times, most recently from da0f6dd to 00ffa72 Compare June 5, 2021 23:18
@smitsohu smitsohu marked this pull request as ready for review June 5, 2021 23:23
topimiettinen
topimiettinen reviewed Jun 6, 2021
View reviewed changes
Copy link
Collaborator

@topimiettinen topimiettinen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice idea! This allows the local admin or distro to make changes which may not make sense for others.

topimiettinen
topimiettinen reviewed Jun 6, 2021
View reviewed changes
Copy link
Collaborator

@topimiettinen topimiettinen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Command line version would be nice and of course documentation is a must. Otherwise looks great.

src/firejail/checkcfg.c Outdated Show resolved Hide resolved
@topimiettinen
Copy link
Collaborator

There is still a bug, where removing syscalls leads to empty seccomp lists (and these are not allowed). I'll add a minimal fix.

Perhaps the empty seccomp lists could be forbidden when user specifies them but allowed for internal use (or when the architecture specific version is empty etc).

@smitsohu
Copy link
Collaborator Author

Command line version would be nice

Command line version exists already: --seccomp=

and of course documentation is a must

Done.

Unlrelated to the changed code, I moved some parts of --seccomp documentation to --seccomp= because I had the impression it fits better there.

Perhaps the empty seccomp lists could be forbidden when user specifies them but allowed for internal use (or when the architecture specific version is empty etc).

Done (for default+drop list).

@smitsohu smitsohu force-pushed the kcmp branch 9 times, most recently from 440fc13 to 3df84cf Compare June 18, 2021 18:21
@smitsohu
seccomp man page update
925c9fe 
* move everything related to modification
of the default seccomp filter from --seccomp
to --seccomp= entry

* update errno descriptions
@smitsohu
RELNOTES
43fb38e
@smitsohu smitsohu merged commit 46712f7 into netblue30:master Jun 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@topimiettinen topimiettinen topimiettinen left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smitsohu @topimiettinen