From: Lennart Poettering Date: Wed, 17 Aug 2016 15:53:25 +0000 (+0200) Subject: seccomp: make sure getrlimit() is among the default permitted syscalls X-Git-Tag: v232~256^2~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4;p=thirdparty%2Fsystemd.git seccomp: make sure getrlimit() is among the default permitted syscalls A lot of basic code wants to know the stack size, and it is safe if they do, hence let's permit getrlimit() (but not setrlimit()) by default. See: #3970 --- diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 8656d112b8b..b549426e2b2 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = { "execve\0" "exit\0" "exit_group\0" + "getrlimit\0" /* make sure processes can query stack size and such */ "rt_sigreturn\0" "sigreturn\0" }, {