From e9966634754b8c9ee3f3c579f25d938e185c282e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micka=C3=ABl=20Sala=C3=BCn?= Date: Wed, 25 Sep 2024 15:20:23 +0200 Subject: [PATCH] seccomp-util: include @sandbox in @default Every services and containers should be able to protect their users and limit the impact of security bugs thanks to the security syscalls provided by seccomp and Landlock. The goal of these syscalls is to improve security with additional restrictions. They are designed to be safely used by unprivileged (and then potentially malicious) users. Remove the now-redundant "seccomp" entry for nspawn. --- src/nspawn/nspawn-seccomp.c | 1 - src/shared/seccomp-util.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index fa05a8a5b4f..673b627c3b1 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -84,7 +84,6 @@ static int add_syscall_filters( { 0, "sched_rr_get_interval" }, { 0, "sched_rr_get_interval_time64" }, { 0, "sched_yield" }, - { 0, "seccomp" }, { 0, "sendfile" }, { 0, "sendfile64" }, { 0, "setdomainname" }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index e2261b0a521..b251e396727 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@default", .help = "System calls that are always permitted", .value = + "@sandbox\0" "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ "brk\0" "cacheflush\0" -- 2.47.3