Add @pkey syscall group
Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299. This change doesn't solve the issue, but makes it easier to whitelist the syscall group.
This commit is contained in:
parent
6ca6771069
commit
9493b16871
|
@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
|
|||
* @cpu-emulation
|
||||
* @keyring (NB: keyring is not namespaced!)
|
||||
* @obsolete
|
||||
* @pkey
|
||||
* @swap
|
||||
*
|
||||
* bpf (NB: bpffs is not namespaced!)
|
||||
|
@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
|
|||
* nfsservctl
|
||||
* open_by_handle_at
|
||||
* perf_event_open
|
||||
* pkey_alloc
|
||||
* pkey_free
|
||||
* pkey_mprotect
|
||||
* quotactl
|
||||
*/
|
||||
};
|
||||
|
|
|
@ -629,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
"ustat\0"
|
||||
"vserver\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_PKEY] = {
|
||||
.name = "@pkey",
|
||||
.help = "System calls used for memory protection keys",
|
||||
.value =
|
||||
"pkey_alloc\0"
|
||||
"pkey_free\0"
|
||||
"pkey_mprotect\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_PRIVILEGED] = {
|
||||
.name = "@privileged",
|
||||
.help = "All system calls which need super-user capabilities",
|
||||
|
|
|
@ -38,6 +38,7 @@ enum {
|
|||
SYSCALL_FILTER_SET_MOUNT,
|
||||
SYSCALL_FILTER_SET_NETWORK_IO,
|
||||
SYSCALL_FILTER_SET_OBSOLETE,
|
||||
SYSCALL_FILTER_SET_PKEY,
|
||||
SYSCALL_FILTER_SET_PRIVILEGED,
|
||||
SYSCALL_FILTER_SET_PROCESS,
|
||||
SYSCALL_FILTER_SET_RAW_IO,
|
||||
|
|
Loading…
Reference in New Issue