summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorTopi Miettinen <topimiettinen@users.noreply.github.com>2016-06-01 09:56:01 +0000
committerLennart Poettering <lennart@poettering.net>2016-06-01 11:56:01 +0200
commit201c1cc22a41df1f4ef7706bde41e2536bef433f (patch)
tree452460094ba15a3feea15a2cc202b68673a20c8f /man/systemd.exec.xml
parentce3eb7790ca20be6b429d23b26d2d8bd25f71ef9 (diff)
core: add pre-defined syscall groups to SystemCallFilter= (#3053) (#3157)
Implement sets of system calls to help constructing system call filters. A set starts with '@' to distinguish from a system call. Closes: #3053, #3157
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml73
1 files changed, 72 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4d52982b64..58f18f3a9e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1193,7 +1193,78 @@
<function>read</function> and <function>write</function>, and
right after it add a blacklisting of
<function>write</function>, then <function>write</function>
- will be removed from the set.) </para></listitem>
+ will be removed from the set.)</para>
+
+ <para>As the number of possible system
+ calls is large, predefined sets of system calls are provided.
+ A set starts with <literal>@</literal> character, followed by
+ name of the set.
+
+ <table>
+ <title>Currently predefined system call sets</title>
+
+ <tgroup cols='2'>
+ <colspec colname='set' />
+ <colspec colname='description' />
+ <thead>
+ <row>
+ <entry>Set</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>@clock</entry>
+ <entry>System calls for changing the system clock (<function>adjtimex()</function>,
+ <function>settimeofday()</function>)</entry>
+ </row>
+ <row>
+ <entry>@io-event</entry>
+ <entry>Event loop use (<function>poll()</function>, <function>select()</function>,
+ <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <function>eventfd()</function>...)</entry>
+ </row>
+ <row>
+ <entry>@ipc</entry>
+ <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+ </row>
+ <row>
+ <entry>@module</entry>
+ <entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
+ </row>
+ <row>
+ <entry>@mount</entry>
+ <entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
+ </row>
+ <row>
+ <entry>@network-io</entry>
+ <entry>Socket I/O (including local AF_UNIX):
+ <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
+ </row>
+ <row>
+ <entry>@obsolete</entry>
+ <entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
+ </row>
+ <row>
+ <entry>@privileged</entry>
+ <entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+ </row>
+ <row>
+ <entry>@process</entry>
+ <entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
+ </row>
+ <row>
+ <entry>@raw-io</entry>
+ <entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
+ above, so the contents of the sets may change between systemd versions.</para></listitem>
</varlistentry>
<varlistentry>