diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-02 12:01:04 -0400 | 
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-03 09:35:36 -0400 | 
| commit | 40eb6a801427e28a237d32869639fffc8436c930 (patch) | |
| tree | 71eb09dab15430d3fde8c7cd55022857c02d70aa /src | |
| parent | 869feb33881ac0ee6f95fb3baa7eeb870c429c64 (diff) | |
seccomp-util: move @default to the first position
Now that the list is user-visible, @default should be first.
Diffstat (limited to 'src')
| -rw-r--r-- | src/shared/seccomp-util.c | 36 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 3 | 
2 files changed, 20 insertions, 19 deletions
| diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c9b24f1065..325dcc866e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -217,6 +217,24 @@ bool is_seccomp_available(void) {  }  const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { +        [SYSCALL_FILTER_SET_DEFAULT] = { +                /* Default list: the most basic of operations */ +                .name = "@default", +                .value = +                "clock_getres\0" +                "clock_gettime\0" +                "clock_nanosleep\0" +                "execve\0" +                "exit\0" +                "exit_group\0" +                "getrlimit\0"      /* make sure processes can query stack size and such */ +                "gettimeofday\0" +                "nanosleep\0" +                "pause\0" +                "rt_sigreturn\0" +                "sigreturn\0" +                "time\0" +        },          [SYSCALL_FILTER_SET_BASIC_IO] = {                  /* Basic IO */                  .name = "@basic-io", @@ -270,24 +288,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {  #endif                  "sys_debug_setcontext\0"          }, -        [SYSCALL_FILTER_SET_DEFAULT] = { -                /* Default list: the most basic of operations */ -                .name = "@default", -                .value = -                "clock_getres\0" -                "clock_gettime\0" -                "clock_nanosleep\0" -                "execve\0" -                "exit\0" -                "exit_group\0" -                "getrlimit\0"      /* make sure processes can query stack size and such */ -                "gettimeofday\0" -                "nanosleep\0" -                "pause\0" -                "rt_sigreturn\0" -                "sigreturn\0" -                "time\0" -        },          [SYSCALL_FILTER_SET_IO_EVENT] = {                  /* Event loop use */                  .name = "@io-event", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 8e209efef2..ce7417b0ba 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,11 +38,12 @@ typedef struct SyscallFilterSet {  } SyscallFilterSet;  enum { +        /* Please leave DEFAULT first, but sort the rest alphabetically */ +        SYSCALL_FILTER_SET_DEFAULT,          SYSCALL_FILTER_SET_BASIC_IO,          SYSCALL_FILTER_SET_CLOCK,          SYSCALL_FILTER_SET_CPU_EMULATION,          SYSCALL_FILTER_SET_DEBUG, -        SYSCALL_FILTER_SET_DEFAULT,          SYSCALL_FILTER_SET_IO_EVENT,          SYSCALL_FILTER_SET_IPC,          SYSCALL_FILTER_SET_KEYRING, | 
