seccomp: make sure getrlimit() is among the default permitted syscalls

A lot of basic code wants to know the stack size, and it is safe if they do, hence let's permit getrlimit() (but not setrlimit()) by default. See: #3970
author: Lennart Poettering <lennart@poettering.net> 2016-08-17 17:53:25 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-08-22 14:17:23 +0200
commit: 4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4 (patch)
tree: 8efe7c12615a3a5ca0952f97ea30bd6b1424b1b6
parent: 05b4d3b55c0a60aa17817d51129f2bc83914c1f4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d112b8..b549426e2b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
+                "getrlimit\0"      /* make sure processes can query stack size and such */
                 "rt_sigreturn\0"
                 "sigreturn\0"
         }, {
author	Lennart Poettering <lennart@poettering.net>	2016-08-17 17:53:25 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-08-22 14:17:23 +0200
commit	4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4 (patch)
tree	8efe7c12615a3a5ca0952f97ea30bd6b1424b1b6
parent	05b4d3b55c0a60aa17817d51129f2bc83914c1f4 (diff)