From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 25 Oct 2016 13:42:10 +0000 (+0200)
Subject: seccomp: drop execve() from @process list
X-Git-Tag: v232~13^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8c157ff3081ee963adb0d046015abf9a271fa67;p=thirdparty%2Fsystemd.git

seccomp: drop execve() from @process list

The system call is already part in @default hence implicitly allowed anyway.
Also, if it is actually blocked then systemd couldn't execute the service in
question anymore, since the application of seccomp is immediately followed by
it.
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e7d8bb23a4b..d45e5362dc6 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1347,7 +1347,7 @@
               </row>
               <row>
                 <entry>@process</entry>
-                <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, â¦</entry>
+                <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, â¦</entry>
               </row>
               <row>
                 <entry>@raw-io</entry>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ad5782fb295..70723e9e4e0 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -443,7 +443,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .value =
                 "arch_prctl\0"
                 "clone\0"
-                "execve\0"
                 "execveat\0"
                 "fork\0"
                 "kill\0"
