diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-12-27 14:26:55 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-12-27 18:09:37 +0100 |
| commit | bd2ab3f4f67d51c56d6d2813e8ae4802c5a59575 (patch) | |
| tree | 8c1605a40cc69bd58b48d71d3f6fd2601cd6f68f | |
| parent | 27e2e3231fc1edbbaa9f73be363900701ab4598d (diff) | |
seccomp: add two new filter sets: @reboot and @swap
These groupe reboot()/kexec() and swapon()/swapoff() respectively
| -rw-r--r-- | man/systemd.exec.xml | 8 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 15 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 2 |
3 files changed, 25 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 812e615530..202b912b55 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1425,9 +1425,17 @@ <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry> </row> <row> + <entry>@reboot</entry> + <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry> + </row> + <row> <entry>@resources</entry> <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> </row> + <row> + <entry>@swap</entry> + <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> + </row> </tbody> </tgroup> </table> diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 66b72b2b27..28c2079f30 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "s390_pci_mmio_write\0" #endif }, + [SYSCALL_FILTER_SET_REBOOT] = { + .name = "@reboot", + .help = "Reboot and reboot preparation/kexec", + .value = + "kexec\0" + "kexec_file_load\0" + "reboot\0" + }, [SYSCALL_FILTER_SET_RESOURCES] = { /* Alter resource settings */ .name = "@resources", @@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "sched_setattr\0" "prlimit64\0" }, + [SYSCALL_FILTER_SET_SWAP] = { + .name = "@swap", + .help = "Enable/disable swap devices", + .value = + "swapoff\0" + "swapon\0" + }, }; const SyscallFilterSet *syscall_filter_set_find(const char *name) { diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 01cf331b29..2e9980e74b 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -56,7 +56,9 @@ enum { SYSCALL_FILTER_SET_PRIVILEGED, SYSCALL_FILTER_SET_PROCESS, SYSCALL_FILTER_SET_RAW_IO, + SYSCALL_FILTER_SET_REBOOT, SYSCALL_FILTER_SET_RESOURCES, + SYSCALL_FILTER_SET_SWAP, _SYSCALL_FILTER_SET_MAX }; |