"membarrier\0"
"nanosleep\0"
"pause\0"
+ "prlimit64\0"
"restart_syscall\0"
"rt_sigreturn\0"
"sched_yield\0"
"set_tid_address\0"
"sigreturn\0"
"time\0"
+ "ugetrlimit\0"
+ },
+ [SYSCALL_FILTER_SET_AIO] = {
+ .name = "@aio",
+ .help = "Asynchronous IO",
+ .value =
+ "io_cancel\0"
+ "io_destroy\0"
+ "io_getevents\0"
+ "io_setup\0"
+ "io_submit\0"
},
[SYSCALL_FILTER_SET_BASIC_IO] = {
.name = "@basic-io",
"lseek\0"
"pread64\0"
"preadv\0"
+ "preadv2\0"
"pwrite64\0"
"pwritev\0"
+ "pwritev2\0"
"read\0"
"readv\0"
"write\0"
"writev\0"
},
+ [SYSCALL_FILTER_SET_CHOWN] = {
+ .name = "@chown",
+ .help = "Change ownership of files and directories",
+ .value =
+ "chown\0"
+ "chown32\0"
+ "fchown\0"
+ "fchown32\0"
+ "fchownat\0"
+ "lchown\0"
+ "lchown32\0"
+ },
[SYSCALL_FILTER_SET_CLOCK] = {
.name = "@clock",
.help = "Change the system time",
.name = "@privileged",
.help = "All system calls which need super-user capabilities",
.value =
+ "@chown\0"
"@clock\0"
"@module\0"
"@raw-io\0"
"acct\0"
"bpf\0"
"capset\0"
- "chown\0"
- "chown32\0"
"chroot\0"
- "fchown\0"
- "fchown32\0"
- "fchownat\0"
"kexec_file_load\0"
"kexec_load\0"
- "lchown\0"
- "lchown32\0"
"nfsservctl\0"
"pivot_root\0"
"quotactl\0"
"execveat\0"
"fork\0"
"getrusage\0"
- "gettid\0"
"kill\0"
"prctl\0"
"rt_sigqueueinfo\0"
"migrate_pages\0"
"move_pages\0"
"nice\0"
- "prlimit64\0"
"sched_setaffinity\0"
"sched_setattr\0"
"sched_setparam\0"
"swapoff\0"
"swapon\0"
},
+ [SYSCALL_FILTER_SET_SYNC] = {
+ .name = "@sync",
+ .help = "Synchronize files and memory to storage",
+ .value =
+ "fdatasync\0"
+ "fsync\0"
+ "msync\0"
+ "sync\0"
+ "sync_file_range\0"
+ "syncfs\0"
+ },
[SYSCALL_FILTER_SET_TIMER] = {
.name = "@timer",
.help = "Schedule operations by time",
id = seccomp_syscall_resolve_name(name);
if (id == __NR_SCMP_ERROR) {
- log_debug("System call %s is not known!", name);
- return -EINVAL; /* Not known at all? Then that's a real error */
+ log_debug("System call %s is not known, ignoring.", name);
+ return 0;
}
r = seccomp_rule_add_exact(seccomp, action, id, 0);
if (r < 0)
break;
}
-
if (r < 0) {
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue;
if (r < 0)
break;
}
-
if (r < 0) {
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue;
if (r < 0)
return r;
- return seccomp_load(seccomp);
+ r = seccomp_load(seccomp);
+ if (IN_SET(r, -EPERM, -EACCES))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
+
+ return 0;
}
int parse_syscall_archs(char **l, Set **archs) {
if (!more)
return -ENXIO;
-
r = seccomp_filter_set_add(filter, add, more);
if (r < 0)
return r;
int id;
id = seccomp_syscall_resolve_name(i);
- if (id == __NR_SCMP_ERROR)
- return -ENXIO;
+ if (id == __NR_SCMP_ERROR) {
+ log_debug("Couldn't resolve system call, ignoring: %s", i);
+ continue;
+ }
if (add) {
r = set_put(filter, INT_TO_PTR(id + 1));
SCMP_SYS(personality),
1,
SCMP_A0(SCMP_CMP_NE, personality));
- if (r < 0)
- return r;
+ if (r < 0) {
+ log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ continue;
+ }
r = seccomp_load(seccomp);
if (IN_SET(r, -EPERM, -EACCES))