seccomp-util: move @default to the first position

Now that the list is user-visible, @default should be first.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index c9b24f1065d7554ae9cf148f812c5b7498cbf0a5..325dcc866ed394e785fc7560a9ebc07c3d09550f 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -217,6 +217,24 @@ bool is_seccomp_available(void) {
 }
 
 const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
+        [SYSCALL_FILTER_SET_DEFAULT] = {
+                /* Default list: the most basic of operations */
+                .name = "@default",
+                .value =
+                "clock_getres\0"
+                "clock_gettime\0"
+                "clock_nanosleep\0"
+                "execve\0"
+                "exit\0"
+                "exit_group\0"
+                "getrlimit\0"      /* make sure processes can query stack size and such */
+                "gettimeofday\0"
+                "nanosleep\0"
+                "pause\0"
+                "rt_sigreturn\0"
+                "sigreturn\0"
+                "time\0"
+        },
         [SYSCALL_FILTER_SET_BASIC_IO] = {
                 /* Basic IO */
                 .name = "@basic-io",
@@ -270,24 +288,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
 #endif
                 "sys_debug_setcontext\0"
         },
-        [SYSCALL_FILTER_SET_DEFAULT] = {
-                /* Default list: the most basic of operations */
-                .name = "@default",
-                .value =
-                "clock_getres\0"
-                "clock_gettime\0"
-                "clock_nanosleep\0"
-                "execve\0"
-                "exit\0"
-                "exit_group\0"
-                "getrlimit\0"      /* make sure processes can query stack size and such */
-                "gettimeofday\0"
-                "nanosleep\0"
-                "pause\0"
-                "rt_sigreturn\0"
-                "sigreturn\0"
-                "time\0"
-        },
         [SYSCALL_FILTER_SET_IO_EVENT] = {
                 /* Event loop use */
                 .name = "@io-event",

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 8e209efef2ad44d4d33881f93ffa2a8653ff7c5d..ce7417b0ba4751c9c1b445441376196e2f280d3a 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -38,11 +38,12 @@ typedef struct SyscallFilterSet {
 } SyscallFilterSet;
 
 enum {
+        /* Please leave DEFAULT first, but sort the rest alphabetically */
+        SYSCALL_FILTER_SET_DEFAULT,
         SYSCALL_FILTER_SET_BASIC_IO,
         SYSCALL_FILTER_SET_CLOCK,
         SYSCALL_FILTER_SET_CPU_EMULATION,
         SYSCALL_FILTER_SET_DEBUG,
-        SYSCALL_FILTER_SET_DEFAULT,
         SYSCALL_FILTER_SET_IO_EVENT,
         SYSCALL_FILTER_SET_IPC,
         SYSCALL_FILTER_SET_KEYRING,