git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Mon, 11 Sep 2017 15:45:21 +0000 (17:45 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 12 Sep 2017 12:06:21 +0000 (14:06 +0200)
commit	960e4569e17abf7c84f07b697d57ac7d0418edfc
tree	dd8c180c850f0c97fdf6811b6296e79a6d5b7d6b	tree \| snapshot
parent	7609340e2f9d5b5fd46fa767dd41184b273d7e48	commit \| diff

nspawn: implement configurable syscall whitelisting/blacklisting

Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.

This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.

(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)

Fixes: #5163
Replaces: #5944

man/systemd-nspawn.xml		diff \| blob \| blame \| history
man/systemd.nspawn.xml		diff \| blob \| blame \| history
src/nspawn/nspawn-gperf.gperf		diff \| blob \| blame \| history
src/nspawn/nspawn-seccomp.c		diff \| blob \| blame \| history
src/nspawn/nspawn-seccomp.h		diff \| blob \| blame \| history
src/nspawn/nspawn-settings.c		diff \| blob \| blame \| history
src/nspawn/nspawn-settings.h		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history
src/shared/seccomp-util.c		diff \| blob \| blame \| history
src/shared/seccomp-util.h		diff \| blob \| blame \| history