seccomp: add four new syscall groups
These groups should be useful shortcuts for sets of closely related syscalls where it usually makes more sense to allow them altogether or not at all.
This commit is contained in:
Lennart Poettering
parent
0963c053fa
commit
cd0ddf6f75
|
|
@ -1461,6 +1461,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
<entry>@cpu-emulation</entry>
|
||||
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@credentials</entry>
|
||||
<entry>System calls for querying process credentials (<citerefentry project='man-pages'><refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>capget</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@debug</entry>
|
||||
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
|
|
@ -1481,6 +1485,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
<entry>@keyring</entry>
|
||||
<entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@memlock</entry>
|
||||
<entry>Locking of memory into RAM (<citerefentry project='man-pages'><refentrytitle>mlock</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>mlockall</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@module</entry>
|
||||
<entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
|
|
@ -1521,10 +1529,18 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
<entry>@setuid</entry>
|
||||
<entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@signal</entry>
|
||||
<entry>System calls for manipulating and handling process signals (<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sigprocmask</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@swap</entry>
|
||||
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@timer</entry>
|
||||
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
|
|
|||
|
|
@ -333,6 +333,32 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
"vm86\0"
|
||||
"vm86old\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_CREDENTIALS] = {
|
||||
.name = "@credentials",
|
||||
.help = "Query own process credentials",
|
||||
.value =
|
||||
"capget\0"
|
||||
"getegid\0"
|
||||
"getegid32\0"
|
||||
"geteuid\0"
|
||||
"geteuid32\0"
|
||||
"getgid\0"
|
||||
"getgid32\0"
|
||||
"getgroups\0"
|
||||
"getgroups32\0"
|
||||
"getpgid\0"
|
||||
"getpgrp\0"
|
||||
"getpid\0"
|
||||
"getppid\0"
|
||||
"getresgid\0"
|
||||
"getresgid32\0"
|
||||
"getresuid\0"
|
||||
"getresuid32\0"
|
||||
"getsid\0"
|
||||
"gettid\0"
|
||||
"getuid\0"
|
||||
"getuid32\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_DEBUG] = {
|
||||
.name = "@debug",
|
||||
.help = "Debugging, performance monitoring and tracing functionality",
|
||||
|
|
@ -487,6 +513,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
"keyctl\0"
|
||||
"request_key\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_MEMLOCK] = {
|
||||
.name = "@memlock",
|
||||
.help = "Memory locking control",
|
||||
.value =
|
||||
"mlock\0"
|
||||
"mlock2\0"
|
||||
"mlockall\0"
|
||||
"munlock\0"
|
||||
"munlockall\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_MODULE] = {
|
||||
.name = "@module",
|
||||
.help = "Loading and unloading of kernel modules",
|
||||
|
|
@ -691,6 +727,24 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
"setuid\0"
|
||||
"setuid32\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SIGNAL] = {
|
||||
.name = "@signal",
|
||||
.help = "Process signal handling",
|
||||
.value =
|
||||
"rt_sigaction\0"
|
||||
"rt_sigpending\0"
|
||||
"rt_sigprocmask\0"
|
||||
"rt_sigsuspend\0"
|
||||
"rt_sigtimedwait\0"
|
||||
"sigaction\0"
|
||||
"sigaltstack\0"
|
||||
"signal\0"
|
||||
"signalfd\0"
|
||||
"signalfd4\0"
|
||||
"sigpending\0"
|
||||
"sigprocmask\0"
|
||||
"sigsuspend\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SWAP] = {
|
||||
.name = "@swap",
|
||||
.help = "Enable/disable swap devices",
|
||||
|
|
@ -698,6 +752,23 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||
"swapoff\0"
|
||||
"swapon\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_TIMER] = {
|
||||
.name = "@timer",
|
||||
.help = "Schedule operations by time",
|
||||
.value =
|
||||
"alarm\0"
|
||||
"getitimer\0"
|
||||
"setitimer\0"
|
||||
"timer_create\0"
|
||||
"timer_delete\0"
|
||||
"timer_getoverrun\0"
|
||||
"timer_gettime\0"
|
||||
"timer_settime\0"
|
||||
"timerfd_create\0"
|
||||
"timerfd_gettime\0"
|
||||
"timerfd_settime\0"
|
||||
"times\0"
|
||||
},
|
||||
};
|
||||
|
||||
const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
||||
|
|
|
|||
|
|
@ -44,11 +44,13 @@ enum {
|
|||
SYSCALL_FILTER_SET_BASIC_IO,
|
||||
SYSCALL_FILTER_SET_CLOCK,
|
||||
SYSCALL_FILTER_SET_CPU_EMULATION,
|
||||
SYSCALL_FILTER_SET_CREDENTIALS,
|
||||
SYSCALL_FILTER_SET_DEBUG,
|
||||
SYSCALL_FILTER_SET_FILE_SYSTEM,
|
||||
SYSCALL_FILTER_SET_IO_EVENT,
|
||||
SYSCALL_FILTER_SET_IPC,
|
||||
SYSCALL_FILTER_SET_KEYRING,
|
||||
SYSCALL_FILTER_SET_MEMLOCK,
|
||||
SYSCALL_FILTER_SET_MODULE,
|
||||
SYSCALL_FILTER_SET_MOUNT,
|
||||
SYSCALL_FILTER_SET_NETWORK_IO,
|
||||
|
|
@ -59,7 +61,9 @@ enum {
|
|||
SYSCALL_FILTER_SET_REBOOT,
|
||||
SYSCALL_FILTER_SET_RESOURCES,
|
||||
SYSCALL_FILTER_SET_SETUID,
|
||||
SYSCALL_FILTER_SET_SIGNAL,
|
||||
SYSCALL_FILTER_SET_SWAP,
|
||||
SYSCALL_FILTER_SET_TIMER,
|
||||
_SYSCALL_FILTER_SET_MAX
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue