seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and directories for read/write and stat()ing them, plus renaming, deleting, symlinking, hardlinking.
This commit is contained in:
Lennart Poettering
Zbigniew Jędrzejewski-Szmek
parent
6680b8d118
commit
1a1b13c957
|
|
@ -1355,6 +1355,10 @@
|
|||
<entry>@debug</entry>
|
||||
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@file-system</entry>
|
||||
<entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@io-event</entry>
|
||||
<entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
|
|
|
|||
|
|
@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
#endif
|
||||
"sys_debug_setcontext\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_FILE_SYSTEM] = {
|
||||
.name = "@file-system",
|
||||
.help = "File system operations",
|
||||
.value =
|
||||
"access\0"
|
||||
"chdir\0"
|
||||
"chmod\0"
|
||||
"close\0"
|
||||
"creat\0"
|
||||
"faccessat\0"
|
||||
"fallocate\0"
|
||||
"fchdir\0"
|
||||
"fchmod\0"
|
||||
"fchmodat\0"
|
||||
"fcntl64\0"
|
||||
"fcntl\0"
|
||||
"fgetxattr\0"
|
||||
"flistxattr\0"
|
||||
"fsetxattr\0"
|
||||
"fstat64\0"
|
||||
"fstat\0"
|
||||
"fstatat64\0"
|
||||
"fstatfs64\0"
|
||||
"fstatfs\0"
|
||||
"ftruncate64\0"
|
||||
"ftruncate\0"
|
||||
"futimesat\0"
|
||||
"getcwd\0"
|
||||
"getdents64\0"
|
||||
"getdents\0"
|
||||
"getxattr\0"
|
||||
"inotify_add_watch\0"
|
||||
"inotify_init1\0"
|
||||
"inotify_rm_watch\0"
|
||||
"lgetxattr\0"
|
||||
"link\0"
|
||||
"linkat\0"
|
||||
"listxattr\0"
|
||||
"llistxattr\0"
|
||||
"lremovexattr\0"
|
||||
"lsetxattr\0"
|
||||
"lstat64\0"
|
||||
"lstat\0"
|
||||
"mkdir\0"
|
||||
"mkdirat\0"
|
||||
"mknod\0"
|
||||
"mknodat\0"
|
||||
"mmap2\0"
|
||||
"mmap\0"
|
||||
"newfstatat\0"
|
||||
"open\0"
|
||||
"openat\0"
|
||||
"readlink\0"
|
||||
"readlinkat\0"
|
||||
"removexattr\0"
|
||||
"rename\0"
|
||||
"renameat2\0"
|
||||
"renameat\0"
|
||||
"rmdir\0"
|
||||
"setxattr\0"
|
||||
"stat64\0"
|
||||
"stat\0"
|
||||
"statfs\0"
|
||||
"symlink\0"
|
||||
"symlinkat\0"
|
||||
"truncate64\0"
|
||||
"truncate\0"
|
||||
"unlink\0"
|
||||
"unlinkat\0"
|
||||
"utimensat\0"
|
||||
"utimes\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_IO_EVENT] = {
|
||||
.name = "@io-event",
|
||||
.help = "Event loop system calls",
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ enum {
|
|||
SYSCALL_FILTER_SET_CLOCK,
|
||||
SYSCALL_FILTER_SET_CPU_EMULATION,
|
||||
SYSCALL_FILTER_SET_DEBUG,
|
||||
SYSCALL_FILTER_SET_FILE_SYSTEM,
|
||||
SYSCALL_FILTER_SET_IO_EVENT,
|
||||
SYSCALL_FILTER_SET_IPC,
|
||||
SYSCALL_FILTER_SET_KEYRING,
|
||||
|
|
|
|||
Loading…
Reference in New Issue