mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-23 17:34:00 +03:00
seccomp: add two new filter sets: @reboot and @swap
These groupe reboot()/kexec() and swapon()/swapoff() respectively
This commit is contained in:
parent
27e2e3231f
commit
bd2ab3f4f6
@ -1424,10 +1424,18 @@
|
||||
<entry>@raw-io</entry>
|
||||
<entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@reboot</entry>
|
||||
<entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@resources</entry>
|
||||
<entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@swap</entry>
|
||||
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"s390_pci_mmio_write\0"
|
||||
#endif
|
||||
},
|
||||
[SYSCALL_FILTER_SET_REBOOT] = {
|
||||
.name = "@reboot",
|
||||
.help = "Reboot and reboot preparation/kexec",
|
||||
.value =
|
||||
"kexec\0"
|
||||
"kexec_file_load\0"
|
||||
"reboot\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_RESOURCES] = {
|
||||
/* Alter resource settings */
|
||||
.name = "@resources",
|
||||
@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"sched_setattr\0"
|
||||
"prlimit64\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SWAP] = {
|
||||
.name = "@swap",
|
||||
.help = "Enable/disable swap devices",
|
||||
.value =
|
||||
"swapoff\0"
|
||||
"swapon\0"
|
||||
},
|
||||
};
|
||||
|
||||
const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
||||
|
@ -56,7 +56,9 @@ enum {
|
||||
SYSCALL_FILTER_SET_PRIVILEGED,
|
||||
SYSCALL_FILTER_SET_PROCESS,
|
||||
SYSCALL_FILTER_SET_RAW_IO,
|
||||
SYSCALL_FILTER_SET_REBOOT,
|
||||
SYSCALL_FILTER_SET_RESOURCES,
|
||||
SYSCALL_FILTER_SET_SWAP,
|
||||
_SYSCALL_FILTER_SET_MAX
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user