From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 24 Mar 2023 10:15:21 +0000 (+0100)
Subject: seccomp-util: add new @sandbox syscall group with landlock/seccomp
X-Git-Tag: v254-rc1~927^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d12632a86103b5f9ff1ce61977661ad0c1e8a018;p=thirdparty%2Fsystemd.git

seccomp-util: add new @sandbox syscall group with landlock/seccomp

Let's group these 4 syscalls, as they offer similar things and I guess
might be used in conjunction quite often, as they offer unprivileged
sandboxing.

Fixes: #26913
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8ece7f163f1..a855f34602d 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "setpriority\0"
                 "setrlimit\0"
         },
+        [SYSCALL_FILTER_SET_SANDBOX] = {
+                .name = "@sandbox",
+                .help = "Sandbox functionality",
+                .value =
+                "landlock_add_rule\0"
+                "landlock_create_ruleset\0"
+                "landlock_restrict_self\0"
+                "seccomp\0"
+        },
         [SYSCALL_FILTER_SET_SETUID] = {
                 .name = "@setuid",
                 .help = "Operations for changing user/group credentials",
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 3f1a993e11c..4f5b0249ad7 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -49,6 +49,7 @@ enum {
         SYSCALL_FILTER_SET_RAW_IO,
         SYSCALL_FILTER_SET_REBOOT,
         SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SANDBOX,
         SYSCALL_FILTER_SET_SETUID,
         SYSCALL_FILTER_SET_SIGNAL,
         SYSCALL_FILTER_SET_SWAP,