mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-11 05:17:44 +03:00
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access, @cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and suchlike, and @debug for ptrace() and related calls. Also, the @clock group is updated with more syscalls that alter the system clock. capset() is added to @privileged, and pciconfig_iobase() is added to @raw-io. Finally, @obsolete is a cleaned up. A number of syscalls that never existed on Linux and have no number assigned on any architecture are removed, as they only exist in the man pages and other operating sytems, but not in code at all. create_module() is moved from @module to @obsolete, as it is an obsolete system call. mem_getpolicy() is removed from the @obsolete list, as it is not obsolete, but simply a NUMA API.
This commit is contained in:
parent
50b52222f2
commit
1f9ac68b5b
@ -1218,49 +1218,55 @@
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>@clock</entry>
|
||||
<entry>System calls for changing the system clock (<function>adjtimex()</function>,
|
||||
<function>settimeofday()</function>)</entry>
|
||||
<entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@cpu-emulation</entry>
|
||||
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@debug</entry>
|
||||
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@io-event</entry>
|
||||
<entry>Event loop use (<function>poll()</function>, <function>select()</function>,
|
||||
<citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<function>eventfd()</function>...)</entry>
|
||||
<entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@ipc</entry>
|
||||
<entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
<entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@keyring</entry>
|
||||
<entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@module</entry>
|
||||
<entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
|
||||
<entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@mount</entry>
|
||||
<entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
|
||||
<entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@network-io</entry>
|
||||
<entry>Socket I/O (including local AF_UNIX):
|
||||
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
|
||||
<entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@obsolete</entry>
|
||||
<entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
|
||||
<entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@privileged</entry>
|
||||
<entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
<entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@process</entry>
|
||||
<entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
|
||||
<entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@raw-io</entry>
|
||||
<entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
|
||||
<entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
@ -95,7 +95,31 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
.set_name = "@clock",
|
||||
.value =
|
||||
"adjtimex\0"
|
||||
"clock_adjtime\0"
|
||||
"clock_settime\0"
|
||||
"settimeofday\0"
|
||||
"stime\0"
|
||||
}, {
|
||||
/* CPU emulation calls */
|
||||
.set_name = "@cpu-emulation",
|
||||
.value =
|
||||
"modify_ldt\0"
|
||||
"subpage_prot\0"
|
||||
"switch_endian\0"
|
||||
"vm86\0"
|
||||
"vm86old\0"
|
||||
}, {
|
||||
/* Debugging/Performance Monitoring/Tracing */
|
||||
.set_name = "@debug",
|
||||
.value =
|
||||
"lookup_dcookie\0"
|
||||
"perf_event_open\0"
|
||||
"process_vm_readv\0"
|
||||
"process_vm_writev\0"
|
||||
"ptrace\0"
|
||||
"rtas\0"
|
||||
"s390_runtime_instr\0"
|
||||
"sys_debug_setcontext\0"
|
||||
}, {
|
||||
/* Default list */
|
||||
.set_name = "@default",
|
||||
@ -147,11 +171,17 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"shmctl\0"
|
||||
"shmdt\0"
|
||||
"shmget\0"
|
||||
}, {
|
||||
/* Keyring */
|
||||
.set_name = "@keyring",
|
||||
.value =
|
||||
"add_key\0"
|
||||
"keyctl\0"
|
||||
"request_key\0"
|
||||
}, {
|
||||
/* Kernel module control */
|
||||
.set_name = "@module",
|
||||
.value =
|
||||
"create_module\0"
|
||||
"delete_module\0"
|
||||
"finit_module\0"
|
||||
"init_module\0"
|
||||
@ -197,40 +227,26 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"_sysctl\0"
|
||||
"afs_syscall\0"
|
||||
"break\0"
|
||||
"fattach\0"
|
||||
"fdetach\0"
|
||||
"create_module\0"
|
||||
"ftime\0"
|
||||
"get_kernel_syms\0"
|
||||
"get_mempolicy\0"
|
||||
"getmsg\0"
|
||||
"getpmsg\0"
|
||||
"gtty\0"
|
||||
"isastream\0"
|
||||
"lock\0"
|
||||
"madvise1\0"
|
||||
"modify_ldt\0"
|
||||
"mpx\0"
|
||||
"pciconfig_iobase\0"
|
||||
"perf_event_open\0"
|
||||
"prof\0"
|
||||
"profil\0"
|
||||
"putmsg\0"
|
||||
"putpmsg\0"
|
||||
"query_module\0"
|
||||
"rtas\0"
|
||||
"s390_runtime_instr\0"
|
||||
"security\0"
|
||||
"sgetmask\0"
|
||||
"ssetmask\0"
|
||||
"stty\0"
|
||||
"subpage_prot\0"
|
||||
"switch_endian\0"
|
||||
"sys_debug_setcontext\0"
|
||||
"sysfs\0"
|
||||
"tuxcall\0"
|
||||
"ulimit\0"
|
||||
"uselib\0"
|
||||
"vm86\0"
|
||||
"vm86old\0"
|
||||
"ustat\0"
|
||||
"vserver\0"
|
||||
}, {
|
||||
/* Nice grab-bag of all system calls which need superuser capabilities */
|
||||
@ -242,6 +258,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"acct\0"
|
||||
"bdflush\0"
|
||||
"bpf\0"
|
||||
"capset\0"
|
||||
"chown32\0"
|
||||
"chown\0"
|
||||
"chroot\0"
|
||||
@ -268,7 +285,6 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"setreuid\0"
|
||||
"setuid32\0"
|
||||
"setuid\0"
|
||||
"stime\0"
|
||||
"swapoff\0"
|
||||
"swapon\0"
|
||||
"sysctl\0"
|
||||
@ -295,6 +311,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
.value =
|
||||
"ioperm\0"
|
||||
"iopl\0"
|
||||
"pciconfig_iobase\0"
|
||||
"pciconfig_read\0"
|
||||
"pciconfig_write\0"
|
||||
"s390_pci_mmio_read\0"
|
||||
|
Loading…
Reference in New Issue
Block a user