1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

seccomp-util: include @sandbox in @default

Every services and containers should be able to protect their users and
limit the impact of security bugs thanks to the security syscalls
provided by seccomp and Landlock.  The goal of these syscalls is to
improve security with additional restrictions.  They are designed to be
safely used by unprivileged (and then potentially malicious) users.

Remove the now-redundant "seccomp" entry for nspawn.
This commit is contained in:
Mickaël Salaün 2024-09-25 15:20:23 +02:00 committed by Luca Boccassi
parent 1ca81b2e00
commit e996663475
2 changed files with 1 additions and 1 deletions

View File

@ -84,7 +84,6 @@ static int add_syscall_filters(
{ 0, "sched_rr_get_interval" },
{ 0, "sched_rr_get_interval_time64" },
{ 0, "sched_yield" },
{ 0, "seccomp" },
{ 0, "sendfile" },
{ 0, "sendfile64" },
{ 0, "setdomainname" },

View File

@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@default",
.help = "System calls that are always permitted",
.value =
"@sandbox\0"
"arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */
"brk\0"
"cacheflush\0"