From 533a57ebe12bb53d91c85cf054d0b000c2964b6a Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 26 Jun 2021 16:43:49 +0200 Subject: [PATCH] remove kcmp from seccomp default drop list (#3219) --- RELNOTES | 1 + etc/templates/syscalls.txt | 2 +- src/lib/syscall.c | 3 --- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/RELNOTES b/RELNOTES index a83a2c7484b..b6b5f0f7e79 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.65) baseline; urgency=low * new firejail.config settings: private-opt, private-srv * new firejail.config settings: whitelist-disable-topdir * new firejail.config settings: seccomp-filter-add + * removed kcmp syscall from seccomp default filter * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 0775f60ff57..3992c984a3f 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -33,7 +33,7 @@ Definition of groups @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext -@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup +@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup @default-nodebuggers=@default,ptrace,personality,process_vm_readv @default-keep=execveat,execve,prctl @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes diff --git a/src/lib/syscall.c b/src/lib/syscall.c index b3131ac1767..d0d9ff5aa70 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c @@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_fanotify_init "fanotify_init," #endif -#ifdef SYS_kcmp - "kcmp," -#endif #ifdef SYS_add_key "add_key," #endif