seccomp: add @filesystem syscall group (#4537)

@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2ea4a53d188f7ceedc347a7934da53106abbda86..03e55a7aff62afa1fe622c401140260cafe272fb 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1355,6 +1355,10 @@
                 <entry>@debug</entry>
                 <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
               </row>
+              <row>
+                <entry>@file-system</entry>
+                <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry>
+              </row>
               <row>
                 <entry>@io-event</entry>
                 <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 4e4b2faca9a19efd490cad6807c5c7c5262f67f3..66b72b2b271ccd90b93a6fef688a036f990ba900 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
 #endif
                 "sys_debug_setcontext\0"
         },
+        [SYSCALL_FILTER_SET_FILE_SYSTEM] = {
+                .name = "@file-system",
+                .help = "File system operations",
+                .value =
+                "access\0"
+                "chdir\0"
+                "chmod\0"
+                "close\0"
+                "creat\0"
+                "faccessat\0"
+                "fallocate\0"
+                "fchdir\0"
+                "fchmod\0"
+                "fchmodat\0"
+                "fcntl64\0"
+                "fcntl\0"
+                "fgetxattr\0"
+                "flistxattr\0"
+                "fsetxattr\0"
+                "fstat64\0"
+                "fstat\0"
+                "fstatat64\0"
+                "fstatfs64\0"
+                "fstatfs\0"
+                "ftruncate64\0"
+                "ftruncate\0"
+                "futimesat\0"
+                "getcwd\0"
+                "getdents64\0"
+                "getdents\0"
+                "getxattr\0"
+                "inotify_add_watch\0"
+                "inotify_init1\0"
+                "inotify_rm_watch\0"
+                "lgetxattr\0"
+                "link\0"
+                "linkat\0"
+                "listxattr\0"
+                "llistxattr\0"
+                "lremovexattr\0"
+                "lsetxattr\0"
+                "lstat64\0"
+                "lstat\0"
+                "mkdir\0"
+                "mkdirat\0"
+                "mknod\0"
+                "mknodat\0"
+                "mmap2\0"
+                "mmap\0"
+                "newfstatat\0"
+                "open\0"
+                "openat\0"
+                "readlink\0"
+                "readlinkat\0"
+                "removexattr\0"
+                "rename\0"
+                "renameat2\0"
+                "renameat\0"
+                "rmdir\0"
+                "setxattr\0"
+                "stat64\0"
+                "stat\0"
+                "statfs\0"
+                "symlink\0"
+                "symlinkat\0"
+                "truncate64\0"
+                "truncate\0"
+                "unlink\0"
+                "unlinkat\0"
+                "utimensat\0"
+                "utimes\0"
+        },
         [SYSCALL_FILTER_SET_IO_EVENT] = {
                 .name = "@io-event",
                 .help = "Event loop system calls",

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 438a6671bcef1cf7d28c78daa6f0302d87a3f7ad..01cf331b2932175d85150fc22124b58362fed400 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -45,6 +45,7 @@ enum {
         SYSCALL_FILTER_SET_CLOCK,
         SYSCALL_FILTER_SET_CPU_EMULATION,
         SYSCALL_FILTER_SET_DEBUG,
+        SYSCALL_FILTER_SET_FILE_SYSTEM,
         SYSCALL_FILTER_SET_IO_EVENT,
         SYSCALL_FILTER_SET_IPC,
         SYSCALL_FILTER_SET_KEYRING,