From eba42505de9bdd3b7c14f58c03c778502923f420 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 21 Aug 2019 14:21:36 +0100 Subject: sandbox: Reorganise using @system-service set systemd defines a @system-service set now which covers some of the ones that were previously isolated here, so reorganise to take account of that. No functional change. * lib/sandbox.c (make_seccomp_filter): Reorganise using systemd's new @system-service set. --- lib/sandbox.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/sandbox.c b/lib/sandbox.c index 22f7f225..cabe70ff 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -484,9 +484,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) SC_ALLOW ("sync_file_range"); SC_ALLOW ("syncfs"); - /* Extra syscalls not in any of systemd's sets. */ - SC_ALLOW ("arm_fadvise64_64"); - SC_ALLOW ("arm_sync_file_range"); + /* systemd: SystemCallFilter=@system-service (subset) */ SC_ALLOW ("brk"); SC_ALLOW ("fadvise64"); SC_ALLOW ("fadvise64_64"); @@ -500,10 +498,14 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) SC_ALLOW ("mprotect"); SC_ALLOW ("mremap"); SC_ALLOW ("sched_getaffinity"); - SC_ALLOW ("sync_file_range2"); SC_ALLOW ("sysinfo"); SC_ALLOW ("uname"); + /* Extra syscalls not in any of systemd's sets. */ + SC_ALLOW ("arm_fadvise64_64"); + SC_ALLOW ("arm_sync_file_range"); + SC_ALLOW ("sync_file_range2"); + /* Allow killing processes and threads. This is unfortunate but * unavoidable: groff uses kill to explicitly pass on SIGPIPE to its * child processes, and we can't do any more sophisticated filtering -- cgit v1.2.3