+/* SPDX-License-Identifier: LGPL-2.1+ */
/***
- This file is part of systemd.
-
Copyright 2016 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <errno.h>
#include <sys/capability.h>
#include <sys/types.h>
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
#include <seccomp.h>
#endif
#include "alloc-util.h"
#include "log.h"
#include "nspawn-seccomp.h"
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
#include "seccomp-util.h"
#endif
#include "string-util.h"
#include "strv.h"
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
static int seccomp_add_default_syscall_filter(
scmp_filter_ctx ctx,
const char* name;
} whitelist[] = {
/* Let's use set names where we can */
+ { 0, "@aio" },
{ 0, "@basic-io" },
- { 0, "@credentials" },
+ { 0, "@chown" },
{ 0, "@default" },
{ 0, "@file-system" },
{ 0, "@io-event" },
{ 0, "@resources" },
{ 0, "@setuid" },
{ 0, "@signal" },
+ { 0, "@sync" },
{ 0, "@timer" },
/* The following four are sets we optionally enable, in case the caps have been configured for it */
/* Plus a good set of additional syscalls which are not part of any of the groups above */
{ 0, "brk" },
+ { 0, "capget" },
{ 0, "capset" },
- { 0, "chown" },
- { 0, "chown32" },
{ 0, "copy_file_range" },
{ 0, "fadvise64" },
{ 0, "fadvise64_64" },
- { 0, "fchown" },
- { 0, "fchown32" },
- { 0, "fchownat" },
- { 0, "fdatasync" },
{ 0, "flock" },
- { 0, "fsync" },
{ 0, "get_mempolicy" },
{ 0, "getcpu" },
{ 0, "getpriority" },
{ 0, "getrandom" },
- { 0, "io_cancel" },
- { 0, "io_destroy" },
- { 0, "io_getevents" },
- { 0, "io_setup" },
- { 0, "io_submit" },
{ 0, "ioctl" },
{ 0, "ioprio_get" },
{ 0, "kcmp" },
- { 0, "lchown" },
- { 0, "lchown32" },
{ 0, "madvise" },
{ 0, "mincore" },
{ 0, "mprotect" },
{ 0, "mremap" },
- { 0, "msync" },
{ 0, "name_to_handle_at" },
{ 0, "oldolduname" },
{ 0, "olduname" },
{ 0, "personality" },
- { 0, "preadv2" },
- { 0, "pwritev2" },
{ 0, "readahead" },
{ 0, "readdir" },
{ 0, "remap_file_pages" },
{ 0, "setpgid" },
{ 0, "setsid" },
{ 0, "splice" },
- { 0, "sync" },
- { 0, "sync_file_range" },
- { 0, "syncfs" },
{ 0, "sysinfo" },
{ 0, "tee" },
- { 0, "ugetrlimit" },
{ 0, "umask" },
{ 0, "uname" },
{ 0, "userfaultfd" },