picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add @pkey syscall group 

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299.
This change doesn't solve the issue, but makes it easier to whitelist the
syscall group.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-11-08 12:56:56 +01:00
parent 6ca6771069
commit 9493b16871
3 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/nspawn/nspawn-seccomp.c
View File

@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
* @cpu-emulation
* @keyring (NB: keyring is not namespaced!)
* @obsolete
* @pkey
* @swap
*
* bpf (NB: bpffs is not namespaced!)
@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
* nfsservctl
* open_by_handle_at
* perf_event_open
* pkey_alloc
* pkey_free
* pkey_mprotect
* quotactl
*/
};

8
src/shared/seccomp-util.c
View File

@ -629,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"ustat\0"
"vserver\0"
},
[SYSCALL_FILTER_SET_PKEY] = {
.name = "@pkey",
.help = "System calls used for memory protection keys",
.value =
"pkey_alloc\0"
"pkey_free\0"
"pkey_mprotect\0"
},
[SYSCALL_FILTER_SET_PRIVILEGED] = {
.name = "@privileged",
.help = "All system calls which need super-user capabilities",

1
src/shared/seccomp-util.h
View File

@ -38,6 +38,7 @@ enum {
SYSCALL_FILTER_SET_MOUNT,
SYSCALL_FILTER_SET_NETWORK_IO,
SYSCALL_FILTER_SET_OBSOLETE,
SYSCALL_FILTER_SET_PKEY,
SYSCALL_FILTER_SET_PRIVILEGED,
SYSCALL_FILTER_SET_PROCESS,
SYSCALL_FILTER_SET_RAW_IO,