seccomp: include prlimit64 and ugetrlimit in @default

Also, move prlimit64() out of @resources.

prlimit64() may be used both for getting and setting resource limits, and
is implicitly called by glibc at various places, on some archs, the same
was as getrlimit(). SImilar, igetrlimit() is an arch-specific
replacement for getrlimit(), and hence should be whitelisted at the same
place as getrlimit() and prlimit64().

Also see: https://lists.freedesktop.org/archives/systemd-devel/2017-September/039543.html

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 196766dc98451fe78c74115228cd67dc7abe88f4..92d8103ad5c622ab0b458ebc677783ffea345994 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -136,7 +136,6 @@ static int seccomp_add_default_syscall_filter(
                 { 0,                  "syncfs"                 },
                 { 0,                  "sysinfo"                },
                 { 0,                  "tee"                    },
-                { 0,                  "ugetrlimit"             },
                 { 0,                  "umask"                  },
                 { 0,                  "uname"                  },
                 { 0,                  "userfaultfd"            },

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 41e0070b12a1e789cef3a939830601335273a407..6a4d30bac163b4183bafe577362cb0b1e356b8e7 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -306,6 +306,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "membarrier\0"
                 "nanosleep\0"
                 "pause\0"
+                "prlimit64\0"
                 "restart_syscall\0"
                 "rt_sigreturn\0"
                 "sched_yield\0"
@@ -314,6 +315,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "set_tid_address\0"
                 "sigreturn\0"
                 "time\0"
+                "ugetrlimit\0"
         },
         [SYSCALL_FILTER_SET_BASIC_IO] = {
                 .name = "@basic-io",
@@ -693,7 +695,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "migrate_pages\0"
                 "move_pages\0"
                 "nice\0"
-                "prlimit64\0"
                 "sched_setaffinity\0"
                 "sched_setattr\0"
                 "sched_setparam\0"