From: Mickaël Salaün Date: Wed, 25 Sep 2024 13:20:23 +0000 (+0200) Subject: seccomp-util: include @sandbox in @default X-Git-Tag: v257-rc1~365 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e9966634754b8c9ee3f3c579f25d938e185c282e;p=thirdparty%2Fsystemd.git seccomp-util: include @sandbox in @default Every services and containers should be able to protect their users and limit the impact of security bugs thanks to the security syscalls provided by seccomp and Landlock. The goal of these syscalls is to improve security with additional restrictions. They are designed to be safely used by unprivileged (and then potentially malicious) users. Remove the now-redundant "seccomp" entry for nspawn. --- diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index fa05a8a5b4f..673b627c3b1 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -84,7 +84,6 @@ static int add_syscall_filters( { 0, "sched_rr_get_interval" }, { 0, "sched_rr_get_interval_time64" }, { 0, "sched_yield" }, - { 0, "seccomp" }, { 0, "sendfile" }, { 0, "sendfile64" }, { 0, "setdomainname" }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index e2261b0a521..b251e396727 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@default", .help = "System calls that are always permitted", .value = + "@sandbox\0" "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ "brk\0" "cacheflush\0"