shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-11 05:17:44 +03:00
Code

seccomp: add @filesystem syscall group (#4537)

Browse Source 
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
This commit is contained in:
Lennart Poettering 2016-11-22 01:29:12 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent 6680b8d118
commit 1a1b13c957
3 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
man/systemd.exec.xml
View File

@ -1355,6 +1355,10 @@
<entry>@debug</entry> <entry>@debug</entry>
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row> </row>
<row>
<entry>@file-system</entry>
<entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry>
</row>
<row> <row>
<entry>@io-event</entry> <entry>@io-event</entry>
<entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>

72
src/shared/seccomp-util.c
View File

@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
#endif #endif
"sys_debug_setcontext\0" "sys_debug_setcontext\0"
}, },
[SYSCALL_FILTER_SET_FILE_SYSTEM] = {
.name = "@file-system",
.help = "File system operations",
.value =
"access\0"
"chdir\0"
"chmod\0"
"close\0"
"creat\0"
"faccessat\0"
"fallocate\0"
"fchdir\0"
"fchmod\0"
"fchmodat\0"
"fcntl64\0"
"fcntl\0"
"fgetxattr\0"
"flistxattr\0"
"fsetxattr\0"
"fstat64\0"
"fstat\0"
"fstatat64\0"
"fstatfs64\0"
"fstatfs\0"
"ftruncate64\0"
"ftruncate\0"
"futimesat\0"
"getcwd\0"
"getdents64\0"
"getdents\0"
"getxattr\0"
"inotify_add_watch\0"
"inotify_init1\0"
"inotify_rm_watch\0"
"lgetxattr\0"
"link\0"
"linkat\0"
"listxattr\0"
"llistxattr\0"
"lremovexattr\0"
"lsetxattr\0"
"lstat64\0"
"lstat\0"
"mkdir\0"
"mkdirat\0"
"mknod\0"
"mknodat\0"
"mmap2\0"
"mmap\0"
"newfstatat\0"
"open\0"
"openat\0"
"readlink\0"
"readlinkat\0"
"removexattr\0"
"rename\0"
"renameat2\0"
"renameat\0"
"rmdir\0"
"setxattr\0"
"stat64\0"
"stat\0"
"statfs\0"
"symlink\0"
"symlinkat\0"
"truncate64\0"
"truncate\0"
"unlink\0"
"unlinkat\0"
"utimensat\0"
"utimes\0"
},
[SYSCALL_FILTER_SET_IO_EVENT] = { [SYSCALL_FILTER_SET_IO_EVENT] = {
.name = "@io-event", .name = "@io-event",
.help = "Event loop system calls", .help = "Event loop system calls",

1
src/shared/seccomp-util.h
View File

@ -45,6 +45,7 @@ enum {
SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_CPU_EMULATION,
SYSCALL_FILTER_SET_DEBUG, SYSCALL_FILTER_SET_DEBUG,
SYSCALL_FILTER_SET_FILE_SYSTEM,
SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_IO_EVENT,
SYSCALL_FILTER_SET_IPC, SYSCALL_FILTER_SET_IPC,
SYSCALL_FILTER_SET_KEYRING, SYSCALL_FILTER_SET_KEYRING,