summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-11-22 01:29:12 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-11-21 19:29:12 -0500
commit1a1b13c9573b8cd30a4ab8dca2ec7961e460f083 (patch)
tree7bd8dd2c4ca1ee7a1c6d36ae4b254d2966f0d442
parent6680b8d118490bbb3e5522729ec50d9975088fd5 (diff)
seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and directories for read/write and stat()ing them, plus renaming, deleting, symlinking, hardlinking.
-rw-r--r--man/systemd.exec.xml4
-rw-r--r--src/shared/seccomp-util.c72
-rw-r--r--src/shared/seccomp-util.h1
3 files changed, 77 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2ea4a53d18..03e55a7aff 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1356,6 +1356,10 @@
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row>
<row>
+ <entry>@file-system</entry>
+ <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry>
+ </row>
+ <row>
<entry>@io-event</entry>
<entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 4e4b2faca9..66b72b2b27 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
#endif
"sys_debug_setcontext\0"
},
+ [SYSCALL_FILTER_SET_FILE_SYSTEM] = {
+ .name = "@file-system",
+ .help = "File system operations",
+ .value =
+ "access\0"
+ "chdir\0"
+ "chmod\0"
+ "close\0"
+ "creat\0"
+ "faccessat\0"
+ "fallocate\0"
+ "fchdir\0"
+ "fchmod\0"
+ "fchmodat\0"
+ "fcntl64\0"
+ "fcntl\0"
+ "fgetxattr\0"
+ "flistxattr\0"
+ "fsetxattr\0"
+ "fstat64\0"
+ "fstat\0"
+ "fstatat64\0"
+ "fstatfs64\0"
+ "fstatfs\0"
+ "ftruncate64\0"
+ "ftruncate\0"
+ "futimesat\0"
+ "getcwd\0"
+ "getdents64\0"
+ "getdents\0"
+ "getxattr\0"
+ "inotify_add_watch\0"
+ "inotify_init1\0"
+ "inotify_rm_watch\0"
+ "lgetxattr\0"
+ "link\0"
+ "linkat\0"
+ "listxattr\0"
+ "llistxattr\0"
+ "lremovexattr\0"
+ "lsetxattr\0"
+ "lstat64\0"
+ "lstat\0"
+ "mkdir\0"
+ "mkdirat\0"
+ "mknod\0"
+ "mknodat\0"
+ "mmap2\0"
+ "mmap\0"
+ "newfstatat\0"
+ "open\0"
+ "openat\0"
+ "readlink\0"
+ "readlinkat\0"
+ "removexattr\0"
+ "rename\0"
+ "renameat2\0"
+ "renameat\0"
+ "rmdir\0"
+ "setxattr\0"
+ "stat64\0"
+ "stat\0"
+ "statfs\0"
+ "symlink\0"
+ "symlinkat\0"
+ "truncate64\0"
+ "truncate\0"
+ "unlink\0"
+ "unlinkat\0"
+ "utimensat\0"
+ "utimes\0"
+ },
[SYSCALL_FILTER_SET_IO_EVENT] = {
.name = "@io-event",
.help = "Event loop system calls",
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 438a6671bc..01cf331b29 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -45,6 +45,7 @@ enum {
SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION,
SYSCALL_FILTER_SET_DEBUG,
+ SYSCALL_FILTER_SET_FILE_SYSTEM,
SYSCALL_FILTER_SET_IO_EVENT,
SYSCALL_FILTER_SET_IPC,
SYSCALL_FILTER_SET_KEYRING,