seccomp-util: include @sandbox in @default

Every services and containers should be able to protect their users and limit the impact of security bugs thanks to the security syscalls provided by seccomp and Landlock. The goal of these syscalls is to improve security with additional restrictions. They are designed to be safely used by unprivileged (and then potentially malicious) users. Remove the now-redundant "seccomp" entry for nspawn. (cherry picked from commit e9966634754b8c9ee3f3c579f25d938e185c282e)
2025-03-19 22:50:17 +03:00 · 2024-09-25 15:20:23 +02:00 · 2024-09-25 15:20:23 +02:00 · c53c1a0fac
commit c53c1a0fac
parent 53b5032ffd
2 changed files with 1 additions and 1 deletions
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -84,7 +84,6 @@ static int add_syscall_filters(
                { 0,                  "sched_rr_get_interval"        },
                { 0,                  "sched_rr_get_interval_time64" },
                { 0,                  "sched_yield"                  },
-                { 0,                  "seccomp"                      },
                { 0,                  "sendfile"                     },
                { 0,                  "sendfile64"                   },
                { 0,                  "setdomainname"                },
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
+                "@sandbox\0"
                "arch_prctl\0"      /* Used during platform-specific initialization by ld-linux.so. */
                "brk\0"
                "cacheflush\0"