summaryrefslogtreecommitdiff
path: root/src/sysctl
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-06-10 18:04:02 +0200
committerLennart Poettering <lennart@poettering.net>2016-06-13 16:25:54 +0200
commit54a17e01de048a2275f8861b211f10d11e56407d (patch)
tree34e569f8eb22469cabf1d4052c8e9cc1772f4fc7 /src/sysctl
parent4e069746fe0de1f60bd1b75c113b0f40ffe86736 (diff)
nspawn: lock down system call filter a bit
Let's block access to the kernel keyring and a number of obsolete system calls. Also, update list of syscalls that may alter the system clock, and do raw IO access. Filter ptrace() if CAP_SYS_PTRACE is not passed to the container and acct() if CAP_SYS_PACCT is not passed. This also changes things so that kexec(), some profiling calls, the swap calls and quotactl() is never available to containers, not even if CAP_SYS_ADMIN is passed. After all we currently permit CAP_SYS_ADMIN to containers by default, but these calls should not be available, even then.
Diffstat (limited to 'src/sysctl')
0 files changed, 0 insertions, 0 deletions