seccomp: add clock query and sleeping syscalls to "@default" group

Timing and sleep are so basic operations, it makes very little sense to ever block them, hence don't.
author: Lennart Poettering <lennart@poettering.net> 2016-10-25 15:38:36 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-11-02 08:49:59 -0600
commit: c79aff9a82abf361aea47b5c745ed9729c5f0212 (patch)
tree: f88550f7a6e129562226a15ef52ddd10ad136f1d /src
parent: 67234d218b11ce66d44f2479f4df8fdbd07d9e5b (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 1cbbb9d757..ad5782fb29 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -253,15 +253,22 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sys_debug_setcontext\0"
         },
         [SYSCALL_FILTER_SET_DEFAULT] = {
-                /* Default list */
+                /* Default list: the most basic of operations */
                 .name = "@default",
                 .value =
+                "clock_getres\0"
+                "clock_gettime\0"
+                "clock_nanosleep\0"
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
                 "getrlimit\0"      /* make sure processes can query stack size and such */
+                "gettimeofday\0"
+                "nanosleep\0"
+                "pause\0"
                 "rt_sigreturn\0"
                 "sigreturn\0"
+                "time\0"
         },
         [SYSCALL_FILTER_SET_IO_EVENT] = {
                 /* Event loop use */
author	Lennart Poettering <lennart@poettering.net>	2016-10-25 15:38:36 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-11-02 08:49:59 -0600
commit	c79aff9a82abf361aea47b5c745ed9729c5f0212 (patch)
tree	f88550f7a6e129562226a15ef52ddd10ad136f1d /src
parent	67234d218b11ce66d44f2479f4df8fdbd07d9e5b (diff)