]> git.ipfire.org Git - thirdparty/systemd.git/commit - man/systemd.exec.xml
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f3ab1d3) | patch
seccomp: add new system call filter, suitable as default whitelist for system services
authorLennart Poettering <lennart@poettering.net>
Wed, 18 Apr 2018 19:19:54 +0000 (21:19 +0200)
committerLennart Poettering <lennart@poettering.net>
Thu, 14 Jun 2018 15:44:20 +0000 (17:44 +0200)
commit705268414f6ba6aa96c56d6c39b5ebf74426e847
tree2269d0bc9a7ffee385bfca234500ce0f6ba22d1dtree | snapshot
parentf3ab1d39b1a5766f4dbbca5fe652df7e23e3c8fecommit | diff
seccomp: add new system call filter, suitable as default whitelist for system services

Currently we employ mostly system call blacklisting for our system
services. Let's add a new system call filter group @system-service that
helps turning this around into a whitelist by default.

The new group is very similar to nspawn's default filter list, but in
some ways more restricted (as sethostname() and suchlike shouldn't be
available to most system services just like that) and in others more
relaxed (for example @keyring is blocked in nspawn since it's not
properly virtualized yet in the kernel, but is fine for regular system
services).
man/systemd.exec.xml diff | blob | blame | history
src/shared/seccomp-util.c diff | blob | blame | history
src/shared/seccomp-util.h diff | blob | blame | history
src/test/test-seccomp.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.