mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
seccomp: add two new syscall groups
@resources contains various syscalls that alter resource limits and memory and scheduling parameters of processes. As such they are good candidates to block for most services. @basic-io contains a number of basic syscalls for I/O, similar to the list seccomp v1 permitted but slightly more complete. It should be useful for building basic whitelisting for minimal sandboxes
This commit is contained in:
parent
aa6b9cec88
commit
133ddbbeae
@ -1301,6 +1301,10 @@
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>@basic-io</entry>
|
||||
<entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@clock</entry>
|
||||
<entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
@ -1353,6 +1357,10 @@
|
||||
<entry>@raw-io</entry>
|
||||
<entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@resources</entry>
|
||||
<entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
@ -217,6 +217,24 @@ bool is_seccomp_available(void) {
|
||||
}
|
||||
|
||||
const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
[SYSCALL_FILTER_SET_BASIC_IO] = {
|
||||
/* Basic IO */
|
||||
.name = "@basic-io",
|
||||
.value =
|
||||
"close\0"
|
||||
"dup2\0"
|
||||
"dup3\0"
|
||||
"dup\0"
|
||||
"lseek\0"
|
||||
"pread64\0"
|
||||
"preadv\0"
|
||||
"pwrite64\0"
|
||||
"pwritev\0"
|
||||
"read\0"
|
||||
"readv\0"
|
||||
"write\0"
|
||||
"writev\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_CLOCK] = {
|
||||
/* Clock */
|
||||
.name = "@clock",
|
||||
@ -472,6 +490,22 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"s390_pci_mmio_write\0"
|
||||
#endif
|
||||
},
|
||||
[SYSCALL_FILTER_SET_RESOURCES] = {
|
||||
/* Alter resource settings */
|
||||
.name = "@resources",
|
||||
.value =
|
||||
"sched_setparam\0"
|
||||
"sched_setscheduler\0"
|
||||
"sched_setaffinity\0"
|
||||
"setpriority\0"
|
||||
"setrlimit\0"
|
||||
"set_mempolicy\0"
|
||||
"migrate_pages\0"
|
||||
"move_pages\0"
|
||||
"mbind\0"
|
||||
"sched_setattr\0"
|
||||
"prlimit64\0"
|
||||
},
|
||||
};
|
||||
|
||||
const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
||||
|
@ -38,6 +38,7 @@ typedef struct SyscallFilterSet {
|
||||
} SyscallFilterSet;
|
||||
|
||||
enum {
|
||||
SYSCALL_FILTER_SET_BASIC_IO,
|
||||
SYSCALL_FILTER_SET_CLOCK,
|
||||
SYSCALL_FILTER_SET_CPU_EMULATION,
|
||||
SYSCALL_FILTER_SET_DEBUG,
|
||||
@ -52,6 +53,7 @@ enum {
|
||||
SYSCALL_FILTER_SET_PRIVILEGED,
|
||||
SYSCALL_FILTER_SET_PROCESS,
|
||||
SYSCALL_FILTER_SET_RAW_IO,
|
||||
SYSCALL_FILTER_SET_RESOURCES,
|
||||
_SYSCALL_FILTER_SET_MAX
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user