From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 13 Sep 2017 17:40:23 +0000 (+0200)
Subject: seccomp: beef up @process group a bit
X-Git-Tag: v235~107^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b887d2ebfe19b09d498f71589d245ad2060f1afd;p=thirdparty%2Fsystemd.git

seccomp: beef up @process group a bit

Include the waid syscalls. If we permit forking then we should also
permit waiting for a process.

Similar to that: also permit determining the usage counters for
processes.

Include calls to determine process/thread identity. They have little
impact security-wise, but are very likely used when process management
of any form is done.

Also, add rt_sigqueueinfo + rt_tgsigqueueinfo as they are similar to
kill() and friends, but permit passing along a userdata ptr.
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index eee7f045713..d96b449082b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -612,13 +612,23 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "clone\0"
                 "execveat\0"
                 "fork\0"
+                "getpid\0"
+                "getppid\0"
+                "getrusage\0"
+                "gettid\0"
                 "kill\0"
                 "prctl\0"
+                "rt_sigqueueinfo\0"
+                "rt_tgsigqueueinfo\0"
                 "setns\0"
                 "tgkill\0"
+                "times\0"
                 "tkill\0"
                 "unshare\0"
                 "vfork\0"
+                "wait4\0"
+                "waitid\0"
+                "waitpid\0"
         },
         [SYSCALL_FILTER_SET_RAW_IO] = {
                 .name = "@raw-io",