picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src
History
Lennart Poettering 705268414f seccomp: add new system call filter, suitable as default whitelist for system services 
Currently we employ mostly system call blacklisting for our system
services. Let's add a new system call filter group @system-service that
helps turning this around into a whitelist by default.

The new group is very similar to nspawn's default filter list, but in
some ways more restricted (as sethostname() and suchlike shouldn't be
available to most system services just like that) and in others more
relaxed (for example @keyring is blocked in nspawn since it's not
properly virtualized yet in the kernel, but is fine for regular system
services).
2018-06-14 17:44:20 +02:00
..
ac-power tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
activate Drop my copyright headers 2018-06-14 13:03:20 +02:00
analyze Drop my copyright headers 2018-06-14 13:03:20 +02:00
ask-password tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
backlight tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
basic Fix SPDX license tags 2018-06-14 13:05:41 +02:00
binfmt tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
boot Drop more license boilerplate 2018-06-14 13:05:41 +02:00
busctl tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
cgls tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
cgroups-agent tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
cgtop tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
core Drop my copyright headers 2018-06-14 13:03:20 +02:00
coredump Drop my copyright headers 2018-06-14 13:03:20 +02:00
cryptsetup tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
debug-generator tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
delta Drop my copyright headers 2018-06-14 13:03:20 +02:00
detect-virt tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
dissect tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
environment-d-generator Drop my copyright headers 2018-06-14 13:03:20 +02:00
escape tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
firstboot tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
fsck tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
fstab-generator tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
fuzz tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
getty-generator tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
gpt-auto-generator tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
hibernate-resume tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
hostname Drop my copyright headers 2018-06-14 13:03:20 +02:00
hwdb tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
import Drop my copyright headers 2018-06-14 13:03:20 +02:00
initctl tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
journal Drop my copyright headers 2018-06-14 13:03:20 +02:00
journal-remote Drop my copyright headers 2018-06-14 13:03:20 +02:00
kernel-install Drop my copyright headers 2018-06-14 13:03:20 +02:00
libsystemd Drop my copyright headers 2018-06-14 13:03:20 +02:00
libsystemd-network Drop my copyright headers 2018-06-14 13:03:20 +02:00
libudev Drop my copyright headers 2018-06-14 13:03:20 +02:00
locale Drop my copyright headers 2018-06-14 13:03:20 +02:00
login Drop my copyright headers 2018-06-14 13:03:20 +02:00
machine Drop my copyright headers 2018-06-14 13:03:20 +02:00
machine-id-setup tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
modules-load tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
mount tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
network Drop my copyright headers 2018-06-14 13:03:20 +02:00
notify tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
nspawn Drop my copyright headers 2018-06-14 13:03:20 +02:00
nss-myhostname tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
nss-mymachines tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
nss-resolve tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
nss-systemd tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
partition Drop my copyright headers 2018-06-14 13:03:20 +02:00
path tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
portable tree-wide: unify how we define bit mak enums 2018-06-12 21:44:00 +02:00
quotacheck tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
random-seed tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
rc-local-generator tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
remount-fs tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
reply-password tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
resolve Drop my copyright headers 2018-06-14 13:03:20 +02:00
rfkill tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
run tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
shared seccomp: add new system call filter, suitable as default whitelist for system services 2018-06-14 17:44:20 +02:00
sleep Drop my copyright headers 2018-06-14 13:03:20 +02:00
socket-proxy tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
stdio-bridge tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
sulogin-shell tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
sysctl tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
system-update-generator tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
systemctl tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
systemd Drop my copyright headers 2018-06-14 13:03:20 +02:00
sysusers Merge pull request #9274 from poettering/comment-header-cleanup 2018-06-14 11:26:50 +02:00
sysv-generator tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
test seccomp: add new system call filter, suitable as default whitelist for system services 2018-06-14 17:44:20 +02:00
time-wait-sync Drop more license boilerplate 2018-06-14 13:05:41 +02:00
timedate Drop my copyright headers 2018-06-14 13:03:20 +02:00
timesync Drop my copyright headers 2018-06-14 13:03:20 +02:00
tmpfiles Drop my copyright headers 2018-06-14 13:03:20 +02:00
tty-ask-password-agent tree-wide: beautify remaining copyright statements 2018-06-14 10:20:21 +02:00
udev Drop more license boilerplate 2018-06-14 13:05:41 +02:00
update-done tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
update-utmp tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
user-sessions tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
vconsole Drop my copyright headers 2018-06-14 13:03:20 +02:00
veritysetup tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00
volatile-root tree-wide: remove Lennart's copyright lines 2018-06-14 10:20:20 +02:00