diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 27044fadd2..3d666eeb79 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -33,90 +33,90 @@ static int add_syscall_filters( const char* name; } allow_list[] = { /* Let's use set names where we can */ - { 0, "@aio" }, - { 0, "@basic-io" }, - { 0, "@chown" }, - { 0, "@default" }, - { 0, "@file-system" }, - { 0, "@io-event" }, - { 0, "@ipc" }, - { 0, "@mount" }, - { 0, "@network-io" }, - { 0, "@process" }, - { 0, "@resources" }, - { 0, "@setuid" }, - { 0, "@signal" }, - { 0, "@sync" }, - { 0, "@timer" }, + { 0, "@aio" }, + { 0, "@basic-io" }, + { 0, "@chown" }, + { 0, "@default" }, + { 0, "@file-system" }, + { 0, "@io-event" }, + { 0, "@ipc" }, + { 0, "@mount" }, + { 0, "@network-io" }, + { 0, "@process" }, + { 0, "@resources" }, + { 0, "@setuid" }, + { 0, "@signal" }, + { 0, "@sync" }, + { 0, "@timer" }, - /* The following four are sets we optionally enable, in case the caps have been configured for it */ - { CAP_SYS_TIME, "@clock" }, - { CAP_SYS_MODULE, "@module" }, - { CAP_SYS_RAWIO, "@raw-io" }, - { CAP_IPC_LOCK, "@memlock" }, + /* The following four are sets we optionally enable, n case the caps have been configured for it */ + { CAP_SYS_TIME, "@clock" }, + { CAP_SYS_MODULE, "@module" }, + { CAP_SYS_RAWIO, "@raw-io" }, + { CAP_IPC_LOCK, "@memlock" }, /* Plus a good set of additional syscalls which are not part of any of the groups above */ - { 0, "brk" }, - { 0, "capget" }, - { 0, "capset" }, - { 0, "copy_file_range" }, - { 0, "fadvise64" }, - { 0, "fadvise64_64" }, - { 0, "flock" }, - { 0, "get_mempolicy" }, - { 0, "getcpu" }, - { 0, "getpriority" }, - { 0, "getrandom" }, - { 0, "ioctl" }, - { 0, "ioprio_get" }, - { 0, "kcmp" }, - { 0, "madvise" }, - { 0, "mincore" }, - { 0, "mprotect" }, - { 0, "mremap" }, - { 0, "name_to_handle_at" }, - { 0, "oldolduname" }, - { 0, "olduname" }, - { 0, "personality" }, - { 0, "readahead" }, - { 0, "readdir" }, - { 0, "remap_file_pages" }, - { 0, "sched_get_priority_max" }, - { 0, "sched_get_priority_min" }, - { 0, "sched_getaffinity" }, - { 0, "sched_getattr" }, - { 0, "sched_getparam" }, - { 0, "sched_getscheduler" }, - { 0, "sched_rr_get_interval" }, + { 0, "brk" }, + { 0, "capget" }, + { 0, "capset" }, + { 0, "copy_file_range" }, + { 0, "fadvise64" }, + { 0, "fadvise64_64" }, + { 0, "flock" }, + { 0, "get_mempolicy" }, + { 0, "getcpu" }, + { 0, "getpriority" }, + { 0, "getrandom" }, + { 0, "ioctl" }, + { 0, "ioprio_get" }, + { 0, "kcmp" }, + { 0, "madvise" }, + { 0, "mincore" }, + { 0, "mprotect" }, + { 0, "mremap" }, + { 0, "name_to_handle_at" }, + { 0, "oldolduname" }, + { 0, "olduname" }, + { 0, "personality" }, + { 0, "readahead" }, + { 0, "readdir" }, + { 0, "remap_file_pages" }, + { 0, "sched_get_priority_max" }, + { 0, "sched_get_priority_min" }, + { 0, "sched_getaffinity" }, + { 0, "sched_getattr" }, + { 0, "sched_getparam" }, + { 0, "sched_getscheduler" }, + { 0, "sched_rr_get_interval" }, { 0, "sched_rr_get_interval_time64" }, - { 0, "sched_yield" }, - { 0, "seccomp" }, - { 0, "sendfile" }, - { 0, "sendfile64" }, - { 0, "setdomainname" }, - { 0, "setfsgid" }, - { 0, "setfsgid32" }, - { 0, "setfsuid" }, - { 0, "setfsuid32" }, - { 0, "sethostname" }, - { 0, "setpgid" }, - { 0, "setsid" }, - { 0, "splice" }, - { 0, "sysinfo" }, - { 0, "tee" }, - { 0, "umask" }, - { 0, "uname" }, - { 0, "userfaultfd" }, - { 0, "vmsplice" }, + { 0, "sched_yield" }, + { 0, "seccomp" }, + { 0, "sendfile" }, + { 0, "sendfile64" }, + { 0, "setdomainname" }, + { 0, "setfsgid" }, + { 0, "setfsgid32" }, + { 0, "setfsuid" }, + { 0, "setfsuid32" }, + { 0, "sethostname" }, + { 0, "setpgid" }, + { 0, "setsid" }, + { 0, "splice" }, + { 0, "sysinfo" }, + { 0, "tee" }, + { 0, "umask" }, + { 0, "uname" }, + { 0, "userfaultfd" }, + { 0, "vmsplice" }, /* The following individual syscalls are added depending on specified caps */ - { CAP_SYS_PACCT, "acct" }, - { CAP_SYS_PTRACE, "process_vm_readv" }, - { CAP_SYS_PTRACE, "process_vm_writev" }, - { CAP_SYS_PTRACE, "ptrace" }, - { CAP_SYS_BOOT, "reboot" }, - { CAP_SYSLOG, "syslog" }, - { CAP_SYS_TTY_CONFIG, "vhangup" }, + { CAP_SYS_PACCT, "acct" }, + { CAP_SYS_PTRACE, "process_vm_readv" }, + { CAP_SYS_PTRACE, "process_vm_writev" }, + { CAP_SYS_PTRACE, "ptrace" }, + { CAP_SYS_BOOT, "reboot" }, + { CAP_SYSLOG, "syslog" }, + { CAP_SYS_TTY_CONFIG, "vhangup" }, /* * The following syscalls and groups are knowingly excluded: