mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
seccomp-util: add new @sandbox syscall group with landlock/seccomp
Let's group these 4 syscalls, as they offer similar things and I guess might be used in conjunction quite often, as they offer unprivileged sandboxing. Fixes: #26913
This commit is contained in:
parent
aadbd81f7f
commit
d12632a861
@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||||||
"setpriority\0"
|
"setpriority\0"
|
||||||
"setrlimit\0"
|
"setrlimit\0"
|
||||||
},
|
},
|
||||||
|
[SYSCALL_FILTER_SET_SANDBOX] = {
|
||||||
|
.name = "@sandbox",
|
||||||
|
.help = "Sandbox functionality",
|
||||||
|
.value =
|
||||||
|
"landlock_add_rule\0"
|
||||||
|
"landlock_create_ruleset\0"
|
||||||
|
"landlock_restrict_self\0"
|
||||||
|
"seccomp\0"
|
||||||
|
},
|
||||||
[SYSCALL_FILTER_SET_SETUID] = {
|
[SYSCALL_FILTER_SET_SETUID] = {
|
||||||
.name = "@setuid",
|
.name = "@setuid",
|
||||||
.help = "Operations for changing user/group credentials",
|
.help = "Operations for changing user/group credentials",
|
||||||
|
@ -49,6 +49,7 @@ enum {
|
|||||||
SYSCALL_FILTER_SET_RAW_IO,
|
SYSCALL_FILTER_SET_RAW_IO,
|
||||||
SYSCALL_FILTER_SET_REBOOT,
|
SYSCALL_FILTER_SET_REBOOT,
|
||||||
SYSCALL_FILTER_SET_RESOURCES,
|
SYSCALL_FILTER_SET_RESOURCES,
|
||||||
|
SYSCALL_FILTER_SET_SANDBOX,
|
||||||
SYSCALL_FILTER_SET_SETUID,
|
SYSCALL_FILTER_SET_SETUID,
|
||||||
SYSCALL_FILTER_SET_SIGNAL,
|
SYSCALL_FILTER_SET_SIGNAL,
|
||||||
SYSCALL_FILTER_SET_SWAP,
|
SYSCALL_FILTER_SET_SWAP,
|
||||||
|
Loading…
Reference in New Issue
Block a user