seccomp-util: include @sandbox in @default

Every services and containers should be able to protect their users and
limit the impact of security bugs thanks to the security syscalls
provided by seccomp and Landlock.  The goal of these syscalls is to
improve security with additional restrictions.  They are designed to be
safely used by unprivileged (and then potentially malicious) users.

Remove the now-redundant "seccomp" entry for nspawn.

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index fa05a8a5b4f443e98d933a250bfb1a84db7d789d..673b627c3b13fac77b8b23b08917cebaff216726 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -84,7 +84,6 @@ static int add_syscall_filters(
                 { 0,                  "sched_rr_get_interval"        },
                 { 0,                  "sched_rr_get_interval_time64" },
                 { 0,                  "sched_yield"                  },
-                { 0,                  "seccomp"                      },
                 { 0,                  "sendfile"                     },
                 { 0,                  "sendfile64"                   },
                 { 0,                  "setdomainname"                },

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index e2261b0a52126e8c693909bbf891d28a30120a58..b251e396727f5e9080a94ffef9b9cac20b4fd5ac 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "@sandbox\0"
                 "arch_prctl\0"      /* Used during platform-specific initialization by ld-linux.so. */
                 "brk\0"
                 "cacheflush\0"