mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
seccomp-util: add new @sandbox syscall group with landlock/seccomp
Let's group these 4 syscalls, as they offer similar things and I guess might be used in conjunction quite often, as they offer unprivileged sandboxing. Fixes: #26913
This commit is contained in:
parent
aadbd81f7f
commit
d12632a861
@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"setpriority\0"
|
||||
"setrlimit\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SANDBOX] = {
|
||||
.name = "@sandbox",
|
||||
.help = "Sandbox functionality",
|
||||
.value =
|
||||
"landlock_add_rule\0"
|
||||
"landlock_create_ruleset\0"
|
||||
"landlock_restrict_self\0"
|
||||
"seccomp\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SETUID] = {
|
||||
.name = "@setuid",
|
||||
.help = "Operations for changing user/group credentials",
|
||||
|
@ -49,6 +49,7 @@ enum {
|
||||
SYSCALL_FILTER_SET_RAW_IO,
|
||||
SYSCALL_FILTER_SET_REBOOT,
|
||||
SYSCALL_FILTER_SET_RESOURCES,
|
||||
SYSCALL_FILTER_SET_SANDBOX,
|
||||
SYSCALL_FILTER_SET_SETUID,
|
||||
SYSCALL_FILTER_SET_SIGNAL,
|
||||
SYSCALL_FILTER_SET_SWAP,
|
||||
|
Loading…
Reference in New Issue
Block a user