sandbox: Reorganise using @system-service set

systemd defines a @system-service set now which covers some of the ones
that were previously isolated here, so reorganise to take account of
that.  No functional change.

* lib/sandbox.c (make_seccomp_filter): Reorganise using systemd's new
@system-service set.

1 files changed, 6 insertions, 4 deletions

diff --git a/lib/sandbox.c b/lib/sandbox.c
index 22f7f225..cabe70ff 100644
--- a/lib/sandbox.c
+++ b/lib/sandbox.c
@@ -484,9 +484,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
 	SC_ALLOW ("sync_file_range");
 	SC_ALLOW ("syncfs");
 
-	/* Extra syscalls not in any of systemd's sets. */
-	SC_ALLOW ("arm_fadvise64_64");
-	SC_ALLOW ("arm_sync_file_range");
+	/* systemd: SystemCallFilter=@system-service (subset) */
 	SC_ALLOW ("brk");
 	SC_ALLOW ("fadvise64");
 	SC_ALLOW ("fadvise64_64");
@@ -500,10 +498,14 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
 	SC_ALLOW ("mprotect");
 	SC_ALLOW ("mremap");
 	SC_ALLOW ("sched_getaffinity");
-	SC_ALLOW ("sync_file_range2");
 	SC_ALLOW ("sysinfo");
 	SC_ALLOW ("uname");
 
+	/* Extra syscalls not in any of systemd's sets. */
+	SC_ALLOW ("arm_fadvise64_64");
+	SC_ALLOW ("arm_sync_file_range");
+	SC_ALLOW ("sync_file_range2");
+
 	/* Allow killing processes and threads.  This is unfortunate but
 	 * unavoidable: groff uses kill to explicitly pass on SIGPIPE to its
 	 * child processes, and we can't do any more sophisticated filtering