seccomp: add two new syscall groups

@resources contains various syscalls that alter resource limits and memory and scheduling parameters of processes. As such they are good candidates to block for most services. @basic-io contains a number of basic syscalls for I/O, similar to the list seccomp v1 permitted but slightly more complete. It should be useful for building basic whitelisting for minimal sandboxes
author: Lennart Poettering <lennart@poettering.net> 2016-11-02 08:46:18 -0600
committer: Lennart Poettering <lennart@poettering.net> 2016-11-02 08:50:00 -0600
commit: 133ddbbeae74fc06173633605b3e612e934bc2dd (patch)
tree: e642c6e827ecbd0ee47be2628e05c22aa389055c /src/shared/seccomp-util.h
parent: aa6b9cec8813c2135049cecc2247a202ff6e311d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 8050fc6fbf..8e209efef2 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -38,6 +38,7 @@ typedef struct SyscallFilterSet {
 } SyscallFilterSet;
 
 enum {
+        SYSCALL_FILTER_SET_BASIC_IO,
         SYSCALL_FILTER_SET_CLOCK,
         SYSCALL_FILTER_SET_CPU_EMULATION,
         SYSCALL_FILTER_SET_DEBUG,
@@ -52,6 +53,7 @@ enum {
         SYSCALL_FILTER_SET_PRIVILEGED,
         SYSCALL_FILTER_SET_PROCESS,
         SYSCALL_FILTER_SET_RAW_IO,
+        SYSCALL_FILTER_SET_RESOURCES,
         _SYSCALL_FILTER_SET_MAX
 };
author	Lennart Poettering <lennart@poettering.net>	2016-11-02 08:46:18 -0600
committer	Lennart Poettering <lennart@poettering.net>	2016-11-02 08:50:00 -0600
commit	133ddbbeae74fc06173633605b3e612e934bc2dd (patch)
tree	e642c6e827ecbd0ee47be2628e05c22aa389055c /src/shared/seccomp-util.h
parent	aa6b9cec8813c2135049cecc2247a202ff6e311d (diff)