seccomp-util: include @sandbox in @default

Every services and containers should be able to protect their users and limit the impact of security bugs thanks to the security syscalls provided by seccomp and Landlock. The goal of these syscalls is to improve security with additional restrictions. They are designed to be safely used by unprivileged (and then potentially malicious) users. Remove the now-redundant "seccomp" entry for nspawn. (cherry picked from commit e9966634754b8c9ee3f3c579f25d938e185c282e) (cherry picked from commit c53c1a0fac49645588409a0a4917b2f12a5d5910)
2025-02-10 13:57:25 +03:00 · 2024-09-25 15:20:23 +02:00 · 2024-09-25 15:20:23 +02:00 · a3705b6981
commit a3705b6981
parent 54ccd49876
2 changed files with 1 additions and 1 deletions
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -84,7 +84,6 @@ static int add_syscall_filters(
                { 0,                  "sched_rr_get_interval"        },
                { 0,                  "sched_rr_get_interval_time64" },
                { 0,                  "sched_yield"                  },
-                { 0,                  "seccomp"                      },
                { 0,                  "sendfile"                     },
                { 0,                  "sendfile64"                   },
                { 0,                  "setdomainname"                },
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
+                "@sandbox\0"
                "arch_prctl\0"      /* Used during platform-specific initialization by ld-linux.so. */
                "brk\0"
                "cacheflush\0"