seccomp: add two new filter sets: @reboot and @swap

These groupe reboot()/kexec() and swapon()/swapoff() respectively

2 files changed, 17 insertions, 0 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 66b72b2b27..28c2079f30 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "s390_pci_mmio_write\0"
 #endif
         },
+        [SYSCALL_FILTER_SET_REBOOT] = {
+                .name = "@reboot",
+                .help = "Reboot and reboot preparation/kexec",
+                .value =
+                "kexec\0"
+                "kexec_file_load\0"
+                "reboot\0"
+        },
         [SYSCALL_FILTER_SET_RESOURCES] = {
                 /* Alter resource settings */
                 .name = "@resources",
@@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sched_setattr\0"
                 "prlimit64\0"
         },
+        [SYSCALL_FILTER_SET_SWAP] = {
+                .name = "@swap",
+                .help = "Enable/disable swap devices",
+                .value =
+                "swapoff\0"
+                "swapon\0"
+        },
 };
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name) {
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 01cf331b29..2e9980e74b 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -56,7 +56,9 @@ enum {
         SYSCALL_FILTER_SET_PRIVILEGED,
         SYSCALL_FILTER_SET_PROCESS,
         SYSCALL_FILTER_SET_RAW_IO,
+        SYSCALL_FILTER_SET_REBOOT,
         SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SWAP,
         _SYSCALL_FILTER_SET_MAX
 };