diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-11-22 01:29:12 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-21 19:29:12 -0500 |
commit | 1a1b13c9573b8cd30a4ab8dca2ec7961e460f083 (patch) | |
tree | 7bd8dd2c4ca1ee7a1c6d36ae4b254d2966f0d442 | |
parent | 6680b8d118490bbb3e5522729ec50d9975088fd5 (diff) |
seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
-rw-r--r-- | man/systemd.exec.xml | 4 | ||||
-rw-r--r-- | src/shared/seccomp-util.c | 72 | ||||
-rw-r--r-- | src/shared/seccomp-util.h | 1 |
3 files changed, 77 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 2ea4a53d18..03e55a7aff 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1356,6 +1356,10 @@ <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> </row> <row> + <entry>@file-system</entry> + <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry> + </row> + <row> <entry>@io-event</entry> <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> </row> diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 4e4b2faca9..66b72b2b27 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { #endif "sys_debug_setcontext\0" }, + [SYSCALL_FILTER_SET_FILE_SYSTEM] = { + .name = "@file-system", + .help = "File system operations", + .value = + "access\0" + "chdir\0" + "chmod\0" + "close\0" + "creat\0" + "faccessat\0" + "fallocate\0" + "fchdir\0" + "fchmod\0" + "fchmodat\0" + "fcntl64\0" + "fcntl\0" + "fgetxattr\0" + "flistxattr\0" + "fsetxattr\0" + "fstat64\0" + "fstat\0" + "fstatat64\0" + "fstatfs64\0" + "fstatfs\0" + "ftruncate64\0" + "ftruncate\0" + "futimesat\0" + "getcwd\0" + "getdents64\0" + "getdents\0" + "getxattr\0" + "inotify_add_watch\0" + "inotify_init1\0" + "inotify_rm_watch\0" + "lgetxattr\0" + "link\0" + "linkat\0" + "listxattr\0" + "llistxattr\0" + "lremovexattr\0" + "lsetxattr\0" + "lstat64\0" + "lstat\0" + "mkdir\0" + "mkdirat\0" + "mknod\0" + "mknodat\0" + "mmap2\0" + "mmap\0" + "newfstatat\0" + "open\0" + "openat\0" + "readlink\0" + "readlinkat\0" + "removexattr\0" + "rename\0" + "renameat2\0" + "renameat\0" + "rmdir\0" + "setxattr\0" + "stat64\0" + "stat\0" + "statfs\0" + "symlink\0" + "symlinkat\0" + "truncate64\0" + "truncate\0" + "unlink\0" + "unlinkat\0" + "utimensat\0" + "utimes\0" + }, [SYSCALL_FILTER_SET_IO_EVENT] = { .name = "@io-event", .help = "Event loop system calls", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 438a6671bc..01cf331b29 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -45,6 +45,7 @@ enum { SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, + SYSCALL_FILTER_SET_FILE_SYSTEM, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_IPC, SYSCALL_FILTER_SET_KEYRING, |