diff options
author | Colin Watson <cjwatson@debian.org> | 2023-08-07 22:57:33 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2023-08-07 22:57:34 +0100 |
commit | 33c8907f97aeaf671863ce7117482cc0bef9b3ed (patch) | |
tree | f0c07eae8e335984d42fe4aff2173c2ed8a4d95a | |
parent | 4241f5d632472d0e05cf073f15766e0d01d360bf (diff) |
Update syscall lists from systemd ab9617a766
* lib/sandbox.c (make_seccomp_filter): Add `futex_waitv`,
`riscv_hwprobe`, and `arm_fadvise64_64`.
-rw-r--r-- | lib/sandbox.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index 7eb69e8b..ca218f55 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -279,7 +279,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) * Since I currently know of no library with suitable syscall lists, * the syscall lists here are taken from * systemd:src/shared/seccomp-util.c, last updated from commit - * fc2a0bc05e0429e468c7eaad52998292105fe7fb (2023-01-13). + * ab9617a76624c43a26de7e94424088ae171ebfef (2023-08-07). */ /* systemd: SystemCallFilter=@default */ @@ -297,6 +297,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("exit_group"); SC_ALLOW ("futex"); SC_ALLOW ("futex_time64"); + SC_ALLOW ("futex_waitv"); SC_ALLOW ("get_robust_list"); SC_ALLOW ("get_thread_area"); SC_ALLOW ("getegid"); @@ -332,6 +333,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("prlimit64"); SC_ALLOW ("restart_syscall"); SC_ALLOW ("riscv_flush_icache"); + SC_ALLOW ("riscv_hwprobe"); SC_ALLOW ("rseq"); SC_ALLOW ("rt_sigreturn"); SC_ALLOW ("sched_getaffinity"); @@ -520,6 +522,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("syncfs"); /* systemd: SystemCallFilter=@system-service (subset) */ + SC_ALLOW ("arm_fadvise64_64"); SC_ALLOW ("fadvise64"); SC_ALLOW ("fadvise64_64"); if (permissive) |