seccomp: add two new filter sets: @reboot and @swap

[thirdparty/systemd.git] / src / shared / seccomp-util.c

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 66b72b2b271ccd90b93a6fef688a036f990ba900..28c2079f3008762319d68fdd523603a88d6aa5a6 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "s390_pci_mmio_write\0"
 #endif
         },
+        [SYSCALL_FILTER_SET_REBOOT] = {
+                .name = "@reboot",
+                .help = "Reboot and reboot preparation/kexec",
+                .value =
+                "kexec\0"
+                "kexec_file_load\0"
+                "reboot\0"
+        },
         [SYSCALL_FILTER_SET_RESOURCES] = {
                 /* Alter resource settings */
                 .name = "@resources",
@@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sched_setattr\0"
                 "prlimit64\0"
         },
+        [SYSCALL_FILTER_SET_SWAP] = {
+                .name = "@swap",
+                .help = "Enable/disable swap devices",
+                .value =
+                "swapoff\0"
+                "swapon\0"
+        },
 };
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name) {