seccomp-util: add new @sandbox syscall group with landlock/seccomp

Let's group these 4 syscalls, as they offer similar things and I guess
might be used in conjunction quite often, as they offer unprivileged
sandboxing.

Fixes: #26913

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8ece7f163f1be53370957aff2e2cfc61bce90814..a855f34602d0c2b78d12a87f253af60eab57015c 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "setpriority\0"
                 "setrlimit\0"
         },
+        [SYSCALL_FILTER_SET_SANDBOX] = {
+                .name = "@sandbox",
+                .help = "Sandbox functionality",
+                .value =
+                "landlock_add_rule\0"
+                "landlock_create_ruleset\0"
+                "landlock_restrict_self\0"
+                "seccomp\0"
+        },
         [SYSCALL_FILTER_SET_SETUID] = {
                 .name = "@setuid",
                 .help = "Operations for changing user/group credentials",

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 3f1a993e11cdc93cfbc3a41ff303fd37de0b1c65..4f5b0249ad7f2638fad9c3e23c429f6c63570231 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -49,6 +49,7 @@ enum {
         SYSCALL_FILTER_SET_RAW_IO,
         SYSCALL_FILTER_SET_REBOOT,
         SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SANDBOX,
         SYSCALL_FILTER_SET_SETUID,
         SYSCALL_FILTER_SET_SIGNAL,
         SYSCALL_FILTER_SET_SWAP,