From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 29 Sep 2020 13:59:28 +0000 (+0200)
Subject: seccomp-util: add cacheflush() syscall to @default syscall set
X-Git-Tag: v247-rc1~151
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e24b1d23f5fa711bfdfd38bcfef525de04cd3c1;p=thirdparty%2Fsystemd.git

seccomp-util: add cacheflush() syscall to @default syscall set

This is like membarrier() I guess and basically just exposes CPU
functionality via kernel syscall on some archs. Let's whitelist it for
everyone.

Fixes: #17197
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 358960d5c4b..b22ef7cec1d 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -272,6 +272,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "cacheflush\0"
                 "clock_getres\0"
                 "clock_getres_time64\0"
                 "clock_gettime\0"