1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-06 08:26:52 +03:00

nspawn: prohibit access to the kernel log buffer by default

Unless CAP_SYSLOG is explicitly passed block all access to kmg
This commit is contained in:
Lennart Poettering 2015-05-21 20:48:39 +02:00
parent 4c6d20dece
commit 5ba7a26847

View File

@ -2932,15 +2932,16 @@ static int setup_seccomp(void) {
uint64_t capability; uint64_t capability;
int syscall_num; int syscall_num;
} blacklist[] = { } blacklist[] = {
{ CAP_SYS_RAWIO, SCMP_SYS(iopl)}, { CAP_SYS_RAWIO, SCMP_SYS(iopl) },
{ CAP_SYS_RAWIO, SCMP_SYS(ioperm)}, { CAP_SYS_RAWIO, SCMP_SYS(ioperm) },
{ CAP_SYS_BOOT, SCMP_SYS(kexec_load)}, { CAP_SYS_BOOT, SCMP_SYS(kexec_load) },
{ CAP_SYS_ADMIN, SCMP_SYS(swapon)}, { CAP_SYS_ADMIN, SCMP_SYS(swapon) },
{ CAP_SYS_ADMIN, SCMP_SYS(swapoff)}, { CAP_SYS_ADMIN, SCMP_SYS(swapoff) },
{ CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at)}, { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) },
{ CAP_SYS_MODULE, SCMP_SYS(init_module)}, { CAP_SYS_MODULE, SCMP_SYS(init_module) },
{ CAP_SYS_MODULE, SCMP_SYS(finit_module)}, { CAP_SYS_MODULE, SCMP_SYS(finit_module) },
{ CAP_SYS_MODULE, SCMP_SYS(delete_module)}, { CAP_SYS_MODULE, SCMP_SYS(delete_module) },
{ CAP_SYSLOG, SCMP_SYS(syslog) },
}; };
scmp_filter_ctx seccomp; scmp_filter_ctx seccomp;