summaryrefslogtreecommitdiff
path: root/src/shared/seccomp-util.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-25 15:38:36 +0200
committerLennart Poettering <lennart@poettering.net>2016-11-02 08:49:59 -0600
commitc79aff9a82abf361aea47b5c745ed9729c5f0212 (patch)
treef88550f7a6e129562226a15ef52ddd10ad136f1d /src/shared/seccomp-util.c
parent67234d218b11ce66d44f2479f4df8fdbd07d9e5b (diff)
seccomp: add clock query and sleeping syscalls to "@default" group
Timing and sleep are so basic operations, it makes very little sense to ever block them, hence don't.
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r--src/shared/seccomp-util.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 1cbbb9d757..ad5782fb29 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -253,15 +253,22 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"sys_debug_setcontext\0"
},
[SYSCALL_FILTER_SET_DEFAULT] = {
- /* Default list */
+ /* Default list: the most basic of operations */
.name = "@default",
.value =
+ "clock_getres\0"
+ "clock_gettime\0"
+ "clock_nanosleep\0"
"execve\0"
"exit\0"
"exit_group\0"
"getrlimit\0" /* make sure processes can query stack size and such */
+ "gettimeofday\0"
+ "nanosleep\0"
+ "pause\0"
"rt_sigreturn\0"
"sigreturn\0"
+ "time\0"
},
[SYSCALL_FILTER_SET_IO_EVENT] = {
/* Event loop use */