seccomp-util: allowlist open_tree() as part of @file-system

Now that we make use of open_tree() in places we previously used
openat() with O_PATH, it makes sense to move it from @mount to
@file-system. Without the OPEN_TREE_CLONE flag open_tree() is after all
unprivileged.

Note that open_tree_attr() I left in @mount, since it's purpose is
really to set mount options when cloning, and that's clearly a mount
related thing, not so much something you could use unpriv.

Follow-up for: c5de7b14ae2e08d267d8d75bc88934ac6aa7dcd6

This addresses an issue tracked down by Antonio Feijoo: since the commit
that started to use open_tree() various apps started to crash because
they used seccomp filters and sd-device started to use open_tree()
internally.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index db3bf6785210ec2c6f08c32855d883813e960b20..3c61f8237182d0716d53f88867b8ec5070cdcf0b 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -526,6 +526,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "oldlstat\0"
                 "oldstat\0"
                 "open\0"
+                "open_tree\0"
                 "openat\0"
                 "openat2\0"
                 "readlink\0"
@@ -648,7 +649,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "mount\0"
                 "mount_setattr\0"
                 "move_mount\0"
-                "open_tree\0"
                 "open_tree_attr\0"
                 "pivot_root\0"
                 "umount\0"