From: Zbigniew Jędrzejewski-Szmek Date: Fri, 8 Nov 2019 11:56:56 +0000 (+0100) Subject: Add @pkey syscall group X-Git-Tag: v244-rc1~79^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9493b168717a445abb12f62c2503edd019e00ab5;p=thirdparty%2Fsystemd.git Add @pkey syscall group Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299. This change doesn't solve the issue, but makes it easier to whitelist the syscall group. --- diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 9222f2bc847..0b39cda9ba9 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter( * @cpu-emulation * @keyring (NB: keyring is not namespaced!) * @obsolete + * @pkey * @swap * * bpf (NB: bpffs is not namespaced!) @@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter( * nfsservctl * open_by_handle_at * perf_event_open - * pkey_alloc - * pkey_free - * pkey_mprotect * quotactl */ }; diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 2a4334b784a..22110d0d731 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -629,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "ustat\0" "vserver\0" }, + [SYSCALL_FILTER_SET_PKEY] = { + .name = "@pkey", + .help = "System calls used for memory protection keys", + .value = + "pkey_alloc\0" + "pkey_free\0" + "pkey_mprotect\0" + }, [SYSCALL_FILTER_SET_PRIVILEGED] = { .name = "@privileged", .help = "All system calls which need super-user capabilities", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 1729dc1b6ee..b29082a4885 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,6 +38,7 @@ enum { SYSCALL_FILTER_SET_MOUNT, SYSCALL_FILTER_SET_NETWORK_IO, SYSCALL_FILTER_SET_OBSOLETE, + SYSCALL_FILTER_SET_PKEY, SYSCALL_FILTER_SET_PRIVILEGED, SYSCALL_FILTER_SET_PROCESS, SYSCALL_FILTER_SET_RAW_IO,