diff options
author | Colin Watson <cjwatson@debian.org> | 2019-08-21 14:21:36 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-08-21 14:21:36 +0100 |
commit | eba42505de9bdd3b7c14f58c03c778502923f420 (patch) | |
tree | 404d8898bb4adde49e869adba4631d412b0b2620 /lib | |
parent | 3a084ddeea0f99f8984e51946f28f3d81579dee4 (diff) |
sandbox: Reorganise using @system-service set
systemd defines a @system-service set now which covers some of the ones
that were previously isolated here, so reorganise to take account of
that. No functional change.
* lib/sandbox.c (make_seccomp_filter): Reorganise using systemd's new
@system-service set.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/sandbox.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index 22f7f225..cabe70ff 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -484,9 +484,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) SC_ALLOW ("sync_file_range"); SC_ALLOW ("syncfs"); - /* Extra syscalls not in any of systemd's sets. */ - SC_ALLOW ("arm_fadvise64_64"); - SC_ALLOW ("arm_sync_file_range"); + /* systemd: SystemCallFilter=@system-service (subset) */ SC_ALLOW ("brk"); SC_ALLOW ("fadvise64"); SC_ALLOW ("fadvise64_64"); @@ -500,10 +498,14 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) SC_ALLOW ("mprotect"); SC_ALLOW ("mremap"); SC_ALLOW ("sched_getaffinity"); - SC_ALLOW ("sync_file_range2"); SC_ALLOW ("sysinfo"); SC_ALLOW ("uname"); + /* Extra syscalls not in any of systemd's sets. */ + SC_ALLOW ("arm_fadvise64_64"); + SC_ALLOW ("arm_sync_file_range"); + SC_ALLOW ("sync_file_range2"); + /* Allow killing processes and threads. This is unfortunate but * unavoidable: groff uses kill to explicitly pass on SIGPIPE to its * child processes, and we can't do any more sophisticated filtering |