seccomp: drop mincore() from @system-service syscall filter group

Previously, this system call was included in @system-service since it is a "getter" only, i.e. only queries information, and doesn't change anything, and hence was considered not risky. However, as it turns out, mincore() is actually security sensitive, see the discussion here: https://lwn.net/Articles/776034/ Hence, let's adjust the system call filter and drop mincore() from it. This constitues a compatibility break to some level, however I presume we can get away with this as the systemcall is pretty exotic. The fact that it is pretty exotic is also reflected by the fact that the kernel intends to majorly change behaviour of the system call soon (see the linked LWN article)
2025-03-11 04:58:19 +03:00 · 2019-01-16 12:13:37 +01:00 · 2019-01-16 12:13:37 +01:00 · 57c03b1e6e
commit 57c03b1e6e
parent 35f2c0ba6a
2 changed files with 4 additions and 1 deletions
--- a/4
+++ b/4
@ -25,6 +25,10 @@ CHANGES WITH 241 in spe:
        * kernel-install script now optionally takes a path to an initrd file,
          and passes it to all plugins.

+        * The mincore() system call has been dropped from the @system-service
+          system call filter group, as it is pretty exotic and may potentially
+          used for side-channel attacks.
+
        * -fPIE is dropped from compiler and linker options. Please specify
          -Db_pie=true option to meson to build position-independent
          executables. Note that the meson option is supported since meson-0.49.
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -793,7 +793,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "ioprio_get\0"
                "kcmp\0"
                "madvise\0"
-                "mincore\0"
                "mprotect\0"
                "mremap\0"
                "name_to_handle_at\0"