From: Djalal Harouni <tixxdz@opendz.org>
Date: Thu, 5 Oct 2017 12:46:41 +0000 (+0200)
Subject: seccomp: remove 'gettid' syscall from '@process' syscall set (#6989)
X-Git-Tag: v235~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c72bab4e35abe8884c3def83aae42b6638685da;p=thirdparty%2Fsystemd.git

seccomp: remove 'gettid' syscall from '@process' syscall set (#6989)

The gettid syscall is one of the most basic syscalls, it never fails and
it operates on current thread. Most applications are not suposed to use
it, however even if it is used there is no much justification on blocking
it. This patch removes it from '@process' set so if users blacklist this
set to block setns or clone syscalls, the gettid syscall will still be
available. Of course they can always block gettid explicitly.

Note that the gettid is already in the '@default' set.
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 73dc571b6bb..a2354325d18 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -647,7 +647,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "execveat\0"
                 "fork\0"
                 "getrusage\0"
-                "gettid\0"
                 "kill\0"
                 "prctl\0"
                 "rt_sigqueueinfo\0"