summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-25 15:42:10 +0200
committerLennart Poettering <lennart@poettering.net>2016-11-02 08:49:59 -0600
commita8c157ff3081ee963adb0d046015abf9a271fa67 (patch)
treea4bec5443d4b336d8939360905a07b9fa96b55ea
parentc79aff9a82abf361aea47b5c745ed9729c5f0212 (diff)
seccomp: drop execve() from @process list
The system call is already part in @default hence implicitly allowed anyway. Also, if it is actually blocked then systemd couldn't execute the service in question anymore, since the application of seccomp is immediately followed by it.
-rw-r--r--man/systemd.exec.xml2
-rw-r--r--src/shared/seccomp-util.c1
2 files changed, 1 insertions, 2 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e7d8bb23a4..d45e5362dc 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1347,7 +1347,7 @@
</row>
<row>
<entry>@process</entry>
- <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
+ <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
</row>
<row>
<entry>@raw-io</entry>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ad5782fb29..70723e9e4e 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -443,7 +443,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.value =
"arch_prctl\0"
"clone\0"
- "execve\0"
"execveat\0"
"fork\0"
"kill\0"