From 33c8907f97aeaf671863ce7117482cc0bef9b3ed Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 7 Aug 2023 22:57:33 +0100 Subject: Update syscall lists from systemd ab9617a766 * lib/sandbox.c (make_seccomp_filter): Add `futex_waitv`, `riscv_hwprobe`, and `arm_fadvise64_64`. --- lib/sandbox.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/sandbox.c b/lib/sandbox.c index 7eb69e8b..ca218f55 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -279,7 +279,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) * Since I currently know of no library with suitable syscall lists, * the syscall lists here are taken from * systemd:src/shared/seccomp-util.c, last updated from commit - * fc2a0bc05e0429e468c7eaad52998292105fe7fb (2023-01-13). + * ab9617a76624c43a26de7e94424088ae171ebfef (2023-08-07). */ /* systemd: SystemCallFilter=@default */ @@ -297,6 +297,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("exit_group"); SC_ALLOW ("futex"); SC_ALLOW ("futex_time64"); + SC_ALLOW ("futex_waitv"); SC_ALLOW ("get_robust_list"); SC_ALLOW ("get_thread_area"); SC_ALLOW ("getegid"); @@ -332,6 +333,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("prlimit64"); SC_ALLOW ("restart_syscall"); SC_ALLOW ("riscv_flush_icache"); + SC_ALLOW ("riscv_hwprobe"); SC_ALLOW ("rseq"); SC_ALLOW ("rt_sigreturn"); SC_ALLOW ("sched_getaffinity"); @@ -520,6 +522,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("syncfs"); /* systemd: SystemCallFilter=@system-service (subset) */ + SC_ALLOW ("arm_fadvise64_64"); SC_ALLOW ("fadvise64"); SC_ALLOW ("fadvise64_64"); if (permissive) -- cgit v1.2.3