mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
seccomp: add new @setuid seccomp group
This new group lists all UID/GID credential changing syscalls (which are quite a number these days). This will become particularly useful in a later commit, which uses this group to optionally permit user credential changing to daemons in case ambient capabilities are not available.
This commit is contained in:
parent
8f2c2f20b6
commit
6eaaeee93a
@ -1505,6 +1505,10 @@
|
|||||||
<entry>@resources</entry>
|
<entry>@resources</entry>
|
||||||
<entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
<entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||||
</row>
|
</row>
|
||||||
|
<row>
|
||||||
|
<entry>@setuid</entry>
|
||||||
|
<entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||||
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry>@swap</entry>
|
<entry>@swap</entry>
|
||||||
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
|
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
|
||||||
|
@ -639,6 +639,25 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||||||
"sched_setattr\0"
|
"sched_setattr\0"
|
||||||
"prlimit64\0"
|
"prlimit64\0"
|
||||||
},
|
},
|
||||||
|
[SYSCALL_FILTER_SET_SETUID] = {
|
||||||
|
.name = "@setuid",
|
||||||
|
.help = "Operations for changing user/group credentials",
|
||||||
|
.value =
|
||||||
|
"setgid32\0"
|
||||||
|
"setgid\0"
|
||||||
|
"setgroups32\0"
|
||||||
|
"setgroups\0"
|
||||||
|
"setregid32\0"
|
||||||
|
"setregid\0"
|
||||||
|
"setresgid32\0"
|
||||||
|
"setresgid\0"
|
||||||
|
"setresuid32\0"
|
||||||
|
"setresuid\0"
|
||||||
|
"setreuid32\0"
|
||||||
|
"setreuid\0"
|
||||||
|
"setuid32\0"
|
||||||
|
"setuid\0"
|
||||||
|
},
|
||||||
[SYSCALL_FILTER_SET_SWAP] = {
|
[SYSCALL_FILTER_SET_SWAP] = {
|
||||||
.name = "@swap",
|
.name = "@swap",
|
||||||
.help = "Enable/disable swap devices",
|
.help = "Enable/disable swap devices",
|
||||||
|
@ -58,6 +58,7 @@ enum {
|
|||||||
SYSCALL_FILTER_SET_RAW_IO,
|
SYSCALL_FILTER_SET_RAW_IO,
|
||||||
SYSCALL_FILTER_SET_REBOOT,
|
SYSCALL_FILTER_SET_REBOOT,
|
||||||
SYSCALL_FILTER_SET_RESOURCES,
|
SYSCALL_FILTER_SET_RESOURCES,
|
||||||
|
SYSCALL_FILTER_SET_SETUID,
|
||||||
SYSCALL_FILTER_SET_SWAP,
|
SYSCALL_FILTER_SET_SWAP,
|
||||||
_SYSCALL_FILTER_SET_MAX
|
_SYSCALL_FILTER_SET_MAX
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user