diff --git a/NEWS b/NEWS
index c0a8ed395f..e639f4878f 100644
--- a/NEWS
+++ b/NEWS
@@ -121,8 +121,8 @@ CHANGES WITH 235:
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @credentials, @memlock,
- @signal and @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @setuid, @memlock, @signal and
+ @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 02d2e9e259..9c5be21053 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1502,10 +1502,6 @@ CapabilityBoundingSet=~CAP_B CAP_C
@cpu-emulation
System calls for CPU emulation functionality (vm862 and related calls)
-
- @credentials
- System calls for querying process credentials (getuid2, capget2, and related calls)
-
@debug
Debugging, performance monitoring and tracing functionality (ptrace2, perf_event_open2 and related calls)
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index db3d098e7f..38c2b12e95 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -50,7 +50,6 @@ static int seccomp_add_default_syscall_filter(
} whitelist[] = {
/* Let's use set names where we can */
{ 0, "@basic-io" },
- { 0, "@credentials" },
{ 0, "@default" },
{ 0, "@file-system" },
{ 0, "@io-event" },
@@ -71,6 +70,7 @@ static int seccomp_add_default_syscall_filter(
/* Plus a good set of additional syscalls which are not part of any of the groups above */
{ 0, "brk" },
+ { 0, "capget" },
{ 0, "capset" },
{ 0, "chown" },
{ 0, "chown32" },
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 5e78a088e9..a7720c53dc 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -281,8 +281,28 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"futex\0"
"get_robust_list\0"
"get_thread_area\0"
+ "getegid\0"
+ "getegid32\0"
+ "geteuid\0"
+ "geteuid32\0"
+ "getgid\0"
+ "getgid32\0"
+ "getgroups\0"
+ "getgroups32\0"
+ "getpgid\0"
+ "getpgrp\0"
+ "getpid\0"
+ "getppid\0"
+ "getresgid\0"
+ "getresgid32\0"
+ "getresuid\0"
+ "getresuid32\0"
"getrlimit\0" /* make sure processes can query stack size and such */
+ "getsid\0"
+ "gettid\0"
"gettimeofday\0"
+ "getuid\0"
+ "getuid32\0"
"membarrier\0"
"nanosleep\0"
"pause\0"
@@ -333,32 +353,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"vm86\0"
"vm86old\0"
},
- [SYSCALL_FILTER_SET_CREDENTIALS] = {
- .name = "@credentials",
- .help = "Query own process credentials",
- .value =
- "capget\0"
- "getegid\0"
- "getegid32\0"
- "geteuid\0"
- "geteuid32\0"
- "getgid\0"
- "getgid32\0"
- "getgroups\0"
- "getgroups32\0"
- "getpgid\0"
- "getpgrp\0"
- "getpid\0"
- "getppid\0"
- "getresgid\0"
- "getresgid32\0"
- "getresuid\0"
- "getresuid32\0"
- "getsid\0"
- "gettid\0"
- "getuid\0"
- "getuid32\0"
- },
[SYSCALL_FILTER_SET_DEBUG] = {
.name = "@debug",
.help = "Debugging, performance monitoring and tracing functionality",
@@ -645,11 +639,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.help = "Process control, execution, namespaceing operations",
.value =
"arch_prctl\0"
+ "capget\0" /* Able to query arbitrary processes */
"clone\0"
"execveat\0"
"fork\0"
- "getpid\0"
- "getppid\0"
"getrusage\0"
"gettid\0"
"kill\0"
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index d4ff027df8..25ca9bcaa0 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -44,7 +44,6 @@ enum {
SYSCALL_FILTER_SET_BASIC_IO,
SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION,
- SYSCALL_FILTER_SET_CREDENTIALS,
SYSCALL_FILTER_SET_DEBUG,
SYSCALL_FILTER_SET_FILE_SYSTEM,
SYSCALL_FILTER_SET_IO_EVENT,