nspawn: prohibit access to the kernel log buffer by default

Unless CAP_SYSLOG is explicitly passed block all access to kmg
2024-11-05 23:51:28 +03:00 · 2015-05-21 20:48:39 +02:00 · 2015-05-21 20:48:39 +02:00 · 5ba7a26847
commit 5ba7a26847
parent 4c6d20dece
1 changed files with 10 additions and 9 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2941,6 +2941,7 @@ static int setup_seccomp(void) {
                { CAP_SYS_MODULE, SCMP_SYS(init_module)       },
                { CAP_SYS_MODULE, SCMP_SYS(finit_module)      },
                { CAP_SYS_MODULE, SCMP_SYS(delete_module)     },
+                { CAP_SYSLOG,     SCMP_SYS(syslog)            },
        };

        scmp_filter_ctx seccomp;