picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/nspawn
History
Lennart Poettering 54a17e01de nspawn: lock down system call filter a bit 
Let's block access to the kernel keyring and a number of obsolete system calls.
Also, update list of syscalls that may alter the system clock, and do raw IO
access. Filter ptrace() if CAP_SYS_PTRACE is not passed to the container and
acct() if CAP_SYS_PACCT is not passed.

This also changes things so that kexec(), some profiling calls, the swap calls
and quotactl() is never available to containers, not even if CAP_SYS_ADMIN is
passed. After all we currently permit CAP_SYS_ADMIN to containers by default,
but these calls should not be available, even then.
2016-06-13 16:25:54 +02:00
..
.gitignore nspawn: add new .nspawn files for container settings 2015-09-06 01:49:06 +02:00
Makefile build-sys: add stub makefiles to all subdirs to ease development with emacs 2012-04-13 21:37:59 +02:00
nspawn-cgroup.c core: update populated event handling in unified hierarchy 2016-03-26 12:05:57 -04:00
nspawn-cgroup.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-expose-ports.c tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-expose-ports.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-gperf.gperf nspawn: introduce --notify-ready=[no|yes] (#3474) 2016-06-10 13:09:06 +02:00
nspawn-mount.c prevent systemd-nspawn from trying to create target 2016-04-01 17:31:55 +02:00
nspawn-mount.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-network.c nspawn: add new --network-zone= switch for automatically managed bridge devices 2016-05-09 15:45:31 +02:00
nspawn-network.h nspawn: add new --network-zone= switch for automatically managed bridge devices 2016-05-09 15:45:31 +02:00
nspawn-patch-uid.c nspawn: rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible() 2016-05-26 22:39:34 +02:00
nspawn-patch-uid.h nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00
nspawn-register.c shared: move unit-specific code from bus-util.h to bus-unit-util.h 2016-04-22 16:06:20 +02:00
nspawn-register.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-seccomp.c nspawn: lock down system call filter a bit 2016-06-13 16:25:54 +02:00
nspawn-seccomp.h nspawn: split out seccomp call into nspawn-seccomp.[ch] 2016-05-26 22:42:29 +02:00
nspawn-settings.c nspawn: add new --network-zone= switch for automatically managed bridge devices 2016-05-09 15:45:31 +02:00
nspawn-settings.h nspawn: introduce --notify-ready=[no|yes] (#3474) 2016-06-10 13:09:06 +02:00
nspawn-setuid.c tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-setuid.h tree-wide: remove Emacs lines from all files 2016-02-10 13:41:57 +01:00
nspawn-stub-pid1.c nspawn: optionally run a stub init process as PID 1 2016-02-03 23:58:24 +01:00
nspawn-stub-pid1.h nspawn: optionally run a stub init process as PID 1 2016-02-03 23:58:24 +01:00
nspawn.c nspawn: order caps to retain alphabetically 2016-06-13 16:25:54 +02:00
test-patch-uid.c nspawn: optionally fix up OS tree uid/gids for userns 2016-04-25 12:15:57 +02:00