seccomp: move sched_getaffinity() from @system-service to @default

See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739 In general, we shouldn't blanket move syscalls like this into @default, given that glibc actually does have fallbacks, afaics. However, as long as the syscalls are "read-only" and thus benign, I figure it's a safe thing to do. But we should probably stick to a "if in doubt, don't" rule, and put these syscalls in @system-service as default, but not into @default. I think in the real world @system-service is the sensible group people should use, and not @default actually.
2025-03-31 14:50:15 +03:00 · 2021-07-27 17:11:09 +02:00 · 2021-07-27 17:11:09 +02:00 · 7df660e456
commit 7df660e456
parent 67347f3740
1 changed files with 1 additions and 1 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -331,6 +331,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "restart_syscall\0"
                "rseq\0"
                "rt_sigreturn\0"
+                "sched_getaffinity\0"
                "sched_yield\0"
                "set_robust_list\0"
                "set_thread_area\0"
@ -874,7 +875,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "remap_file_pages\0"
                "sched_get_priority_max\0"
                "sched_get_priority_min\0"
-                "sched_getaffinity\0"
                "sched_getattr\0"
                "sched_getparam\0"
                "sched_getscheduler\0"