seccomp: add @filesystem syscall group (#4537)

@filesystem groups various file system operations, such as opening files and directories for read/write and stat()ing them, plus renaming, deleting, symlinking, hardlinking.
author: Lennart Poettering <lennart@poettering.net> 2016-11-22 01:29:12 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2016-11-21 19:29:12 -0500
commit: 1a1b13c9573b8cd30a4ab8dca2ec7961e460f083 (patch)
tree: 7bd8dd2c4ca1ee7a1c6d36ae4b254d2966f0d442 /src/shared/seccomp-util.c
parent: 6680b8d118490bbb3e5522729ec50d9975088fd5 (diff)
1 files changed, 72 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 4e4b2faca9..66b72b2b27 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
 #endif
                 "sys_debug_setcontext\0"
         },
+        [SYSCALL_FILTER_SET_FILE_SYSTEM] = {
+                .name = "@file-system",
+                .help = "File system operations",
+                .value =
+                "access\0"
+                "chdir\0"
+                "chmod\0"
+                "close\0"
+                "creat\0"
+                "faccessat\0"
+                "fallocate\0"
+                "fchdir\0"
+                "fchmod\0"
+                "fchmodat\0"
+                "fcntl64\0"
+                "fcntl\0"
+                "fgetxattr\0"
+                "flistxattr\0"
+                "fsetxattr\0"
+                "fstat64\0"
+                "fstat\0"
+                "fstatat64\0"
+                "fstatfs64\0"
+                "fstatfs\0"
+                "ftruncate64\0"
+                "ftruncate\0"
+                "futimesat\0"
+                "getcwd\0"
+                "getdents64\0"
+                "getdents\0"
+                "getxattr\0"
+                "inotify_add_watch\0"
+                "inotify_init1\0"
+                "inotify_rm_watch\0"
+                "lgetxattr\0"
+                "link\0"
+                "linkat\0"
+                "listxattr\0"
+                "llistxattr\0"
+                "lremovexattr\0"
+                "lsetxattr\0"
+                "lstat64\0"
+                "lstat\0"
+                "mkdir\0"
+                "mkdirat\0"
+                "mknod\0"
+                "mknodat\0"
+                "mmap2\0"
+                "mmap\0"
+                "newfstatat\0"
+                "open\0"
+                "openat\0"
+                "readlink\0"
+                "readlinkat\0"
+                "removexattr\0"
+                "rename\0"
+                "renameat2\0"
+                "renameat\0"
+                "rmdir\0"
+                "setxattr\0"
+                "stat64\0"
+                "stat\0"
+                "statfs\0"
+                "symlink\0"
+                "symlinkat\0"
+                "truncate64\0"
+                "truncate\0"
+                "unlink\0"
+                "unlinkat\0"
+                "utimensat\0"
+                "utimes\0"
+        },
         [SYSCALL_FILTER_SET_IO_EVENT] = {
                 .name = "@io-event",
                 .help = "Event loop system calls",
author	Lennart Poettering <lennart@poettering.net>	2016-11-22 01:29:12 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2016-11-21 19:29:12 -0500
commit	1a1b13c9573b8cd30a4ab8dca2ec7961e460f083 (patch)
tree	7bd8dd2c4ca1ee7a1c6d36ae4b254d2966f0d442 /src/shared/seccomp-util.c
parent	6680b8d118490bbb3e5522729ec50d9975088fd5 (diff)