valoq
commented
1 year ago Thanks for reporting this. The issue should now be fixed after adapting the default syscall filter.
@jonleivent Can you confirm that the current version works for you?
Closed jonleivent closed 1 year ago
valoq
commented
1 year ago Thanks for reporting this. The issue should now be fixed after adapting the default syscall filter.
@jonleivent Can you confirm that the current version works for you?
jonleivent
commented
1 year ago That works!
BTW - what are you using to decide on changes to exportFilter.c? Some type of tracing? Some static analysis? Or just trial-and-error? I've been looking for helpful documentation on the best way to create seccomp bpf filters for certain apps where this default would not be expected to work, like for a Wayland compositor.
valoq
commented
1 year ago To analyze the required system calls, you can use 'strace' For example "strace -qfc /usr/bin/firefox" will track the used system calls and provide a summary after the process is finished.
Not sure what you intend to do but all profiles in this repo are already build to work on wayland since sandboxing on X11 would not be very useful.
jonleivent
commented
1 year ago I read about using strace for this. Of course it isn't exhaustive unless you know you're executing all code paths. Do you know of any static analysis tools?
Not sure what you intend to do but all profiles in this repo are already build to work on wayland since sandboxing on X11 would not be very useful.
You're sandboxing the wayland clients. I also want to sandbox the wayland server/compositor itself. I've already got it running inside a bwrap sandbox, but no seccomp bpf filter for it yet.
seccomp_default_filter.bpf with firefox-esr 102.12 on Debian 12 with X11 prevents youtube.com from loading.