picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/nspawn
History
Lennart Poettering 960e4569e1 nspawn: implement configurable syscall whitelisting/blacklisting 
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.

This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.

(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)

Fixes: #5163

Replaces: #5944
2017-09-12 14:06:21 +02:00
..
meson.build meson: reindent all files with 8 spaces 2017-04-23 21:47:29 -04:00
nspawn-cgroup.c Be slightly more verbose in error message 2017-07-02 12:03:56 -04:00
nspawn-cgroup.h nspawn: cleanup and chown the synced cgroup hierarchy (#4223) 2016-10-13 09:50:46 -04:00
nspawn-expose-ports.c core: introduce parse_ip_port (#4825) 2016-12-06 12:21:45 +01:00
nspawn-expose-ports.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-gperf.gperf nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-mount.c nspawn: do not mount /sys/fs/kdbus 2017-07-23 12:03:00 -04:00
nspawn-mount.h nspawn: Add support for sysroot pivoting (#5258) 2017-02-08 16:54:31 +01:00
nspawn-network.c Fix includes (#5980) 2017-05-19 10:01:35 -04:00
nspawn-network.h nspawn: add new --network-zone= switch for automatically managed bridge devices 2016-05-09 15:45:31 +02:00
nspawn-patch-uid.c fs-util: unify code we use to check if dirent's d_name is "." or ".." 2017-02-02 00:06:18 +01:00
nspawn-patch-uid.h nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00
nspawn-register.c nspawn: wait for the scope to be created (#6261) 2017-07-03 07:59:49 +02:00
nspawn-register.h nspawn: register a scope for the unit if --register=no is specified (#6166) 2017-06-28 13:22:46 -04:00
nspawn-seccomp.c nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-seccomp.h nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-settings.c nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-settings.h nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-setuid.c Use "return log_error_errno" in more places" 2016-07-22 21:25:09 -04:00
nspawn-setuid.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-stub-pid1.c nspawn: make sure to send SIGTERM/SIGHUP to the main nspawn process if stubinit receives SIGRTMIN+3 (#6167) 2017-06-22 22:20:09 -04:00
nspawn-stub-pid1.h nspawn: flush out environment block of the -a stub init process 2016-12-14 18:29:30 +01:00
nspawn.c nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
test-patch-uid.c nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00