shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-08-24 09:49:49 +03:00
Code Activity

seccomp-util: include @sandbox in @default

Browse Source 
Every services and containers should be able to protect their users and
limit the impact of security bugs thanks to the security syscalls
provided by seccomp and Landlock.  The goal of these syscalls is to
improve security with additional restrictions.  They are designed to be
safely used by unprivileged (and then potentially malicious) users.

Remove the now-redundant "seccomp" entry for nspawn.

(cherry picked from commit e996663475)
This commit is contained in:
Mickaël Salaün
2024-09-25 15:20:23 +02:00
committed by Luca Boccassi
parent 53b5032ffd
commit c53c1a0fac
2 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/nspawn/nspawn-seccomp.c
View File

@ -84,7 +84,6 @@ static int add_syscall_filters(
{ 0, "sched_rr_get_interval" }, { 0, "sched_rr_get_interval" },
{ 0, "sched_rr_get_interval_time64" }, { 0, "sched_rr_get_interval_time64" },
{ 0, "sched_yield" }, { 0, "sched_yield" },
{ 0, "seccomp" },
{ 0, "sendfile" }, { 0, "sendfile" },
{ 0, "sendfile64" }, { 0, "sendfile64" },
{ 0, "setdomainname" }, { 0, "setdomainname" },

1
src/shared/seccomp-util.c
View File

@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@default", .name = "@default",
.help = "System calls that are always permitted", .help = "System calls that are always permitted",
.value = .value =
"@sandbox\0"
"arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */
"brk\0" "brk\0"
"cacheflush\0" "cacheflush\0"