const char* name;
} allow_list[] = {
/* Let's use set names where we can */
- { 0, "@aio" },
- { 0, "@basic-io" },
- { 0, "@chown" },
- { 0, "@default" },
- { 0, "@file-system" },
- { 0, "@io-event" },
- { 0, "@ipc" },
- { 0, "@mount" },
- { 0, "@network-io" },
- { 0, "@process" },
- { 0, "@resources" },
- { 0, "@setuid" },
- { 0, "@signal" },
- { 0, "@sync" },
- { 0, "@timer" },
-
- /* The following four are sets we optionally enable, in case the caps have been configured for it */
- { CAP_SYS_TIME, "@clock" },
- { CAP_SYS_MODULE, "@module" },
- { CAP_SYS_RAWIO, "@raw-io" },
- { CAP_IPC_LOCK, "@memlock" },
+ { 0, "@aio" },
+ { 0, "@basic-io" },
+ { 0, "@chown" },
+ { 0, "@default" },
+ { 0, "@file-system" },
+ { 0, "@io-event" },
+ { 0, "@ipc" },
+ { 0, "@mount" },
+ { 0, "@network-io" },
+ { 0, "@process" },
+ { 0, "@resources" },
+ { 0, "@setuid" },
+ { 0, "@signal" },
+ { 0, "@sync" },
+ { 0, "@timer" },
+
+ /* The following four are sets we optionally enable, n case the caps have been configured for it */
+ { CAP_SYS_TIME, "@clock" },
+ { CAP_SYS_MODULE, "@module" },
+ { CAP_SYS_RAWIO, "@raw-io" },
+ { CAP_IPC_LOCK, "@memlock" },
/* Plus a good set of additional syscalls which are not part of any of the groups above */
- { 0, "brk" },
- { 0, "capget" },
- { 0, "capset" },
- { 0, "copy_file_range" },
- { 0, "fadvise64" },
- { 0, "fadvise64_64" },
- { 0, "flock" },
- { 0, "get_mempolicy" },
- { 0, "getcpu" },
- { 0, "getpriority" },
- { 0, "getrandom" },
- { 0, "ioctl" },
- { 0, "ioprio_get" },
- { 0, "kcmp" },
- { 0, "madvise" },
- { 0, "mincore" },
- { 0, "mprotect" },
- { 0, "mremap" },
- { 0, "name_to_handle_at" },
- { 0, "oldolduname" },
- { 0, "olduname" },
- { 0, "personality" },
- { 0, "readahead" },
- { 0, "readdir" },
- { 0, "remap_file_pages" },
- { 0, "sched_get_priority_max" },
- { 0, "sched_get_priority_min" },
- { 0, "sched_getaffinity" },
- { 0, "sched_getattr" },
- { 0, "sched_getparam" },
- { 0, "sched_getscheduler" },
- { 0, "sched_rr_get_interval" },
+ { 0, "brk" },
+ { 0, "capget" },
+ { 0, "capset" },
+ { 0, "copy_file_range" },
+ { 0, "fadvise64" },
+ { 0, "fadvise64_64" },
+ { 0, "flock" },
+ { 0, "get_mempolicy" },
+ { 0, "getcpu" },
+ { 0, "getpriority" },
+ { 0, "getrandom" },
+ { 0, "ioctl" },
+ { 0, "ioprio_get" },
+ { 0, "kcmp" },
+ { 0, "madvise" },
+ { 0, "mincore" },
+ { 0, "mprotect" },
+ { 0, "mremap" },
+ { 0, "name_to_handle_at" },
+ { 0, "oldolduname" },
+ { 0, "olduname" },
+ { 0, "personality" },
+ { 0, "readahead" },
+ { 0, "readdir" },
+ { 0, "remap_file_pages" },
+ { 0, "sched_get_priority_max" },
+ { 0, "sched_get_priority_min" },
+ { 0, "sched_getaffinity" },
+ { 0, "sched_getattr" },
+ { 0, "sched_getparam" },
+ { 0, "sched_getscheduler" },
+ { 0, "sched_rr_get_interval" },
{ 0, "sched_rr_get_interval_time64" },
- { 0, "sched_yield" },
- { 0, "seccomp" },
- { 0, "sendfile" },
- { 0, "sendfile64" },
- { 0, "setdomainname" },
- { 0, "setfsgid" },
- { 0, "setfsgid32" },
- { 0, "setfsuid" },
- { 0, "setfsuid32" },
- { 0, "sethostname" },
- { 0, "setpgid" },
- { 0, "setsid" },
- { 0, "splice" },
- { 0, "sysinfo" },
- { 0, "tee" },
- { 0, "umask" },
- { 0, "uname" },
- { 0, "userfaultfd" },
- { 0, "vmsplice" },
+ { 0, "sched_yield" },
+ { 0, "seccomp" },
+ { 0, "sendfile" },
+ { 0, "sendfile64" },
+ { 0, "setdomainname" },
+ { 0, "setfsgid" },
+ { 0, "setfsgid32" },
+ { 0, "setfsuid" },
+ { 0, "setfsuid32" },
+ { 0, "sethostname" },
+ { 0, "setpgid" },
+ { 0, "setsid" },
+ { 0, "splice" },
+ { 0, "sysinfo" },
+ { 0, "tee" },
+ { 0, "umask" },
+ { 0, "uname" },
+ { 0, "userfaultfd" },
+ { 0, "vmsplice" },
/* The following individual syscalls are added depending on specified caps */
- { CAP_SYS_PACCT, "acct" },
- { CAP_SYS_PTRACE, "process_vm_readv" },
- { CAP_SYS_PTRACE, "process_vm_writev" },
- { CAP_SYS_PTRACE, "ptrace" },
- { CAP_SYS_BOOT, "reboot" },
- { CAP_SYSLOG, "syslog" },
- { CAP_SYS_TTY_CONFIG, "vhangup" },
+ { CAP_SYS_PACCT, "acct" },
+ { CAP_SYS_PTRACE, "process_vm_readv" },
+ { CAP_SYS_PTRACE, "process_vm_writev" },
+ { CAP_SYS_PTRACE, "ptrace" },
+ { CAP_SYS_BOOT, "reboot" },
+ { CAP_SYSLOG, "syslog" },
+ { CAP_SYS_TTY_CONFIG, "vhangup" },
/*
* The following syscalls and groups are knowingly excluded:
projects / thirdparty / systemd.git / commitdiff
