Source: firejail Version: 0.9.26-1 Severity: wishlist Tags: patch Bug #789163 claims that firejail "fails to build on several architectures since seccomp isn't universally available on Linux":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789163 I note, however, that libseccomp is available on arm64: https://buildd.debian.org/status/package.php?p=libseccomp&suite=sid I also note that firejail can be built on arm64 with this trivial patch, attached. So, should firejail be enabled on arm64? Or is something else required?
diff -ru firejail-0.9.26.orig/src/firejail/seccomp.c firejail-0.9.26/src/firejail/seccomp.c --- firejail-0.9.26.orig/src/firejail/seccomp.c +++ firejail-0.9.26/src/firejail/seccomp.c @@ -403,18 +403,31 @@ filter_add_blacklist(SYS_finit_module); #endif filter_add_blacklist(SYS_delete_module); +#ifdef SYS_iopl filter_add_blacklist(SYS_iopl); +#endif +#ifdef SYS_ioperm filter_add_blacklist(SYS_ioperm); +#endif filter_add_blacklist(SYS_swapon); filter_add_blacklist(SYS_swapoff); filter_add_blacklist(SYS_syslog); filter_add_blacklist(SYS_process_vm_readv); filter_add_blacklist(SYS_process_vm_writev); +#ifdef SYS_mknod filter_add_blacklist(SYS_mknod); +#endif +#ifdef SYS_mknodat + filter_add_blacklist(SYS_mknodat); +#endif // new syscalls in 0.9,23 +#ifdef SYS_sysfs filter_add_blacklist(SYS_sysfs); +#endif +#ifdef SYS__sysctl filter_add_blacklist(SYS__sysctl); +#endif filter_add_blacklist(SYS_adjtimex); filter_add_blacklist(SYS_clock_adjtime); filter_add_blacklist(SYS_lookup_dcookie);
