diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-11-22 01:29:12 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-21 19:29:12 -0500 |
commit | 1a1b13c9573b8cd30a4ab8dca2ec7961e460f083 (patch) | |
tree | 7bd8dd2c4ca1ee7a1c6d36ae4b254d2966f0d442 /src/shared/seccomp-util.c | |
parent | 6680b8d118490bbb3e5522729ec50d9975088fd5 (diff) |
seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r-- | src/shared/seccomp-util.c | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 4e4b2faca9..66b72b2b27 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -290,6 +290,78 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { #endif "sys_debug_setcontext\0" }, + [SYSCALL_FILTER_SET_FILE_SYSTEM] = { + .name = "@file-system", + .help = "File system operations", + .value = + "access\0" + "chdir\0" + "chmod\0" + "close\0" + "creat\0" + "faccessat\0" + "fallocate\0" + "fchdir\0" + "fchmod\0" + "fchmodat\0" + "fcntl64\0" + "fcntl\0" + "fgetxattr\0" + "flistxattr\0" + "fsetxattr\0" + "fstat64\0" + "fstat\0" + "fstatat64\0" + "fstatfs64\0" + "fstatfs\0" + "ftruncate64\0" + "ftruncate\0" + "futimesat\0" + "getcwd\0" + "getdents64\0" + "getdents\0" + "getxattr\0" + "inotify_add_watch\0" + "inotify_init1\0" + "inotify_rm_watch\0" + "lgetxattr\0" + "link\0" + "linkat\0" + "listxattr\0" + "llistxattr\0" + "lremovexattr\0" + "lsetxattr\0" + "lstat64\0" + "lstat\0" + "mkdir\0" + "mkdirat\0" + "mknod\0" + "mknodat\0" + "mmap2\0" + "mmap\0" + "newfstatat\0" + "open\0" + "openat\0" + "readlink\0" + "readlinkat\0" + "removexattr\0" + "rename\0" + "renameat2\0" + "renameat\0" + "rmdir\0" + "setxattr\0" + "stat64\0" + "stat\0" + "statfs\0" + "symlink\0" + "symlinkat\0" + "truncate64\0" + "truncate\0" + "unlink\0" + "unlinkat\0" + "utimensat\0" + "utimes\0" + }, [SYSCALL_FILTER_SET_IO_EVENT] = { .name = "@io-event", .help = "Event loop system calls", |