1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

seccomp-util: add new @sandbox syscall group with landlock/seccomp

Let's group these 4 syscalls, as they offer similar things and I guess
might be used in conjunction quite often, as they offer unprivileged
sandboxing.

Fixes: #26913
This commit is contained in:
Lennart Poettering 2023-03-24 11:15:21 +01:00
parent aadbd81f7f
commit d12632a861
2 changed files with 10 additions and 0 deletions

View File

@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"setpriority\0" "setpriority\0"
"setrlimit\0" "setrlimit\0"
}, },
[SYSCALL_FILTER_SET_SANDBOX] = {
.name = "@sandbox",
.help = "Sandbox functionality",
.value =
"landlock_add_rule\0"
"landlock_create_ruleset\0"
"landlock_restrict_self\0"
"seccomp\0"
},
[SYSCALL_FILTER_SET_SETUID] = { [SYSCALL_FILTER_SET_SETUID] = {
.name = "@setuid", .name = "@setuid",
.help = "Operations for changing user/group credentials", .help = "Operations for changing user/group credentials",

View File

@ -49,6 +49,7 @@ enum {
SYSCALL_FILTER_SET_RAW_IO, SYSCALL_FILTER_SET_RAW_IO,
SYSCALL_FILTER_SET_REBOOT, SYSCALL_FILTER_SET_REBOOT,
SYSCALL_FILTER_SET_RESOURCES, SYSCALL_FILTER_SET_RESOURCES,
SYSCALL_FILTER_SET_SANDBOX,
SYSCALL_FILTER_SET_SETUID, SYSCALL_FILTER_SET_SETUID,
SYSCALL_FILTER_SET_SIGNAL, SYSCALL_FILTER_SET_SIGNAL,
SYSCALL_FILTER_SET_SWAP, SYSCALL_FILTER_SET_SWAP,