seccomp: add two new filter sets: @reboot and @swap

These groupe reboot()/kexec() and swapon()/swapoff() respectively
2024-10-28 11:55:44 +03:00 · 2016-12-27 14:26:55 +01:00 · 2016-12-27 14:26:55 +01:00 · bd2ab3f4f6
commit bd2ab3f4f6
parent 27e2e3231f
3 changed files with 25 additions and 0 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1424,10 +1424,18 @@
                <entry>@raw-io</entry>
                <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry>
              </row>
+              <row>
+                <entry>@reboot</entry>
+                <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry>
+              </row>
              <row>
                <entry>@resources</entry>
                <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
              </row>
+              <row>
+                <entry>@swap</entry>
+                <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
+              </row>
            </tbody>
          </tgroup>
        </table>
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "s390_pci_mmio_write\0"
 #endif
        },
+        [SYSCALL_FILTER_SET_REBOOT] = {
+                .name = "@reboot",
+                .help = "Reboot and reboot preparation/kexec",
+                .value =
+                "kexec\0"
+                "kexec_file_load\0"
+                "reboot\0"
+        },
        [SYSCALL_FILTER_SET_RESOURCES] = {
                /* Alter resource settings */
                .name = "@resources",
@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "sched_setattr\0"
                "prlimit64\0"
        },
+        [SYSCALL_FILTER_SET_SWAP] = {
+                .name = "@swap",
+                .help = "Enable/disable swap devices",
+                .value =
+                "swapoff\0"
+                "swapon\0"
+        },
 };

 const SyscallFilterSet *syscall_filter_set_find(const char *name) {
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -56,7 +56,9 @@ enum {
        SYSCALL_FILTER_SET_PRIVILEGED,
        SYSCALL_FILTER_SET_PROCESS,
        SYSCALL_FILTER_SET_RAW_IO,
+        SYSCALL_FILTER_SET_REBOOT,
        SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SWAP,
        _SYSCALL_FILTER_SET_MAX
 };