picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/nspawn
History
Djalal Harouni 09d3020b0a seccomp: remove '@credentials' syscall set (#6958) 
This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.

Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.

The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
2017-10-03 07:20:05 +02:00
..
meson.build meson: reindent all files with 8 spaces 2017-04-23 21:47:29 -04:00
nspawn-cgroup.c Be slightly more verbose in error message 2017-07-02 12:03:56 -04:00
nspawn-cgroup.h nspawn: cleanup and chown the synced cgroup hierarchy (#4223) 2016-10-13 09:50:46 -04:00
nspawn-expose-ports.c core: introduce parse_ip_port (#4825) 2016-12-06 12:21:45 +01:00
nspawn-expose-ports.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-gperf.gperf nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-mount.c nspawn: do not mount /sys/fs/kdbus 2017-07-23 12:03:00 -04:00
nspawn-mount.h nspawn: Add support for sysroot pivoting (#5258) 2017-02-08 16:54:31 +01:00
nspawn-network.c Fix includes (#5980) 2017-05-19 10:01:35 -04:00
nspawn-network.h nspawn: add new --network-zone= switch for automatically managed bridge devices 2016-05-09 15:45:31 +02:00
nspawn-patch-uid.c nspawn: properly report all kinds of changed UID/GID when patching things for userns 2017-10-02 17:41:43 +02:00
nspawn-patch-uid.h nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00
nspawn-register.c nspawn: wait for the scope to be created (#6261) 2017-07-03 07:59:49 +02:00
nspawn-register.h nspawn: register a scope for the unit if --register=no is specified (#6166) 2017-06-28 13:22:46 -04:00
nspawn-seccomp.c seccomp: remove '@credentials' syscall set (#6958) 2017-10-03 07:20:05 +02:00
nspawn-seccomp.h nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-settings.c nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-settings.h nspawn: implement configurable syscall whitelisting/blacklisting 2017-09-12 14:06:21 +02:00
nspawn-setuid.c Use "return log_error_errno" in more places" 2016-07-22 21:25:09 -04:00
nspawn-setuid.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-stub-pid1.c nspawn: make sure to send SIGTERM/SIGHUP to the main nspawn process if stubinit receives SIGRTMIN+3 (#6167) 2017-06-22 22:20:09 -04:00
nspawn-stub-pid1.h nspawn: flush out environment block of the -a stub init process 2016-12-14 18:29:30 +01:00
nspawn.c tree-wide: use IN_SET where possible 2017-10-02 13:09:54 +02:00
test-patch-uid.c nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00