From 4c3a917617260956faeb4eceb606c316f6bea407 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 30 Sep 2017 14:08:26 +0200 Subject: [PATCH] seccomp: include prlimit64 and ugetrlimit in @default Also, move prlimit64() out of @resources. prlimit64() may be used both for getting and setting resource limits, and is implicitly called by glibc at various places, on some archs, the same was as getrlimit(). SImilar, igetrlimit() is an arch-specific replacement for getrlimit(), and hence should be whitelisted at the same place as getrlimit() and prlimit64(). Also see: https://lists.freedesktop.org/archives/systemd-devel/2017-September/039543.html --- src/nspawn/nspawn-seccomp.c | 1 - src/shared/seccomp-util.c | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 196766dc984..92d8103ad5c 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -136,7 +136,6 @@ static int seccomp_add_default_syscall_filter( { 0, "syncfs" }, { 0, "sysinfo" }, { 0, "tee" }, - { 0, "ugetrlimit" }, { 0, "umask" }, { 0, "uname" }, { 0, "userfaultfd" }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 41e0070b12a..6a4d30bac16 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -306,6 +306,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "membarrier\0" "nanosleep\0" "pause\0" + "prlimit64\0" "restart_syscall\0" "rt_sigreturn\0" "sched_yield\0" @@ -314,6 +315,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "set_tid_address\0" "sigreturn\0" "time\0" + "ugetrlimit\0" }, [SYSCALL_FILTER_SET_BASIC_IO] = { .name = "@basic-io", @@ -693,7 +695,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "migrate_pages\0" "move_pages\0" "nice\0" - "prlimit64\0" "sched_setaffinity\0" "sched_setattr\0" "sched_setparam\0" -- 2.47.3