mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
seccomp-util: include @sandbox in @default
Every services and containers should be able to protect their users and limit the impact of security bugs thanks to the security syscalls provided by seccomp and Landlock. The goal of these syscalls is to improve security with additional restrictions. They are designed to be safely used by unprivileged (and then potentially malicious) users. Remove the now-redundant "seccomp" entry for nspawn.
This commit is contained in:
parent
1ca81b2e00
commit
e996663475
@ -84,7 +84,6 @@ static int add_syscall_filters(
|
||||
{ 0, "sched_rr_get_interval" },
|
||||
{ 0, "sched_rr_get_interval_time64" },
|
||||
{ 0, "sched_yield" },
|
||||
{ 0, "seccomp" },
|
||||
{ 0, "sendfile" },
|
||||
{ 0, "sendfile64" },
|
||||
{ 0, "setdomainname" },
|
||||
|
@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
.name = "@default",
|
||||
.help = "System calls that are always permitted",
|
||||
.value =
|
||||
"@sandbox\0"
|
||||
"arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */
|
||||
"brk\0"
|
||||
"cacheflush\0"
|
||||
|
Loading…
Reference in New Issue
Block a user