Improved strace syscall editing instructions

[ghost]

On https://firejail.wordpress.com/documentation-2/seccomp-guide/ the instructions:

We bring strace output (cut&paste) in a text editor and clean it up. We extract a comma-separated list without any blanks, something like:

Prior to now I did not have a method of doing this sanely. It horrifies me to imagine my fellow firejailers editing strace text file output by hand so here is a unix way to help speed this process along. I asked me old friend Awk what he thought would work and after some experimenting we came up with this:

for i in ping ; do strace -qcf $i 2>&1 | awk '{$1=""; $2=""; $3=""; $4=""; sub(" ", " "); print}' ; done

the output has a few extra integers due to an uneven number of columns in every program, it is impossible to fix that but now we can add our syscalls in a nice linear format as stated in:

poll,select,nanosleep,futex,epoll_wait,fadvise64,read,lstat,stat,[...]

This method can save firejailers upwards of maybe 300+ fewer copy and pastes or for some foolhardy newbies editing strace output files with nano. shudder

[netblue30]

Thanks for the tip, I'll put it in the document.

[ghost]

Glad to help. Next up I'm thinking of ways to build a list of each binaries syscall's on a system. It will be something like 1) build a list of all installed packages on a system, 2) apply strace on each line item of the list, 3) append that output to a file and (hopefully) be human readable. A fresh Debian install will have 268 binaries, Ubuntu I forget the exact number but is something like 463. Sure most of those binaries will be useful to run via firejail in all contexts but I would bet that at some point in the future it would be useful for someone, somewhere.

It would even be useful to build a continuous list of these for each generic kernel released by a distribution and vanilla kernel. Uploading a version controlled version of the results (primarily for the benefit to prevent tampering and provide an auditable history) would be a valuable public service but I doubt I have the time to do that myself.

It would be really awesome if upstream distributions applied this model as well as they could apply seccomp restrictions on all the binaries they use before released to the public. Void may be willing to do something like that.

[netblue30]

The problem is as soon as you update the software, the filter changes. Even a simple library used by the process can trigger a filter change. It might work for stable distros like Debian or CentOS.

[chiraag-nataraj]

@netblue30 Can you add the code snippet to the website? 🙂

[rusty-snake]

Any progress here?

[rusty-snake]

@andrew415 you can use syscalls.sh (#2754)
@netblue30 https://firejail.wordpress.com/documentation-2/seccomp-guide/

1. Add info about syscalls.sh
2. On systems with systemd the syslog cmd is journalctl --grep=syscall --follow.