diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-05-21 20:48:39 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-05-21 20:49:24 +0200 |
commit | 5ba7a26847846322740c02b9b469f42ea4c3f105 (patch) | |
tree | 4377ddf8124b0b6adf303149ff2b04b41fee4fed /src/nspawn/nspawn.c | |
parent | 4c6d20dece1da97c31cd88ddebc007bf33204b82 (diff) |
nspawn: prohibit access to the kernel log buffer by default
Unless CAP_SYSLOG is explicitly passed block all access to kmg
Diffstat (limited to 'src/nspawn/nspawn.c')
-rw-r--r-- | src/nspawn/nspawn.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 73f292e284..500936387f 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2932,15 +2932,16 @@ static int setup_seccomp(void) { uint64_t capability; int syscall_num; } blacklist[] = { - { CAP_SYS_RAWIO, SCMP_SYS(iopl)}, - { CAP_SYS_RAWIO, SCMP_SYS(ioperm)}, - { CAP_SYS_BOOT, SCMP_SYS(kexec_load)}, - { CAP_SYS_ADMIN, SCMP_SYS(swapon)}, - { CAP_SYS_ADMIN, SCMP_SYS(swapoff)}, - { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at)}, - { CAP_SYS_MODULE, SCMP_SYS(init_module)}, - { CAP_SYS_MODULE, SCMP_SYS(finit_module)}, - { CAP_SYS_MODULE, SCMP_SYS(delete_module)}, + { CAP_SYS_RAWIO, SCMP_SYS(iopl) }, + { CAP_SYS_RAWIO, SCMP_SYS(ioperm) }, + { CAP_SYS_BOOT, SCMP_SYS(kexec_load) }, + { CAP_SYS_ADMIN, SCMP_SYS(swapon) }, + { CAP_SYS_ADMIN, SCMP_SYS(swapoff) }, + { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) }, + { CAP_SYS_MODULE, SCMP_SYS(init_module) }, + { CAP_SYS_MODULE, SCMP_SYS(finit_module) }, + { CAP_SYS_MODULE, SCMP_SYS(delete_module) }, + { CAP_SYSLOG, SCMP_SYS(syslog) }, }; scmp_filter_ctx seccomp; |