seccomp: include pipes and memfd in @ipc

These system calls clearly fall in the @ipc category, hence should be listed there, simply to avoid confusion and surprise by the user.
author: Lennart Poettering <lennart@poettering.net> 2016-10-25 15:43:31 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-11-02 08:50:00 -0600
commit: cd5bfd7e60c08cfad41bcf881f550c424b2f3e44 (patch)
tree: e1ced1e692b4a0e625585a651bcf6bfc395a8ec7 /src
parent: a8c157ff3081ee963adb0d046015abf9a271fa67 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 70723e9e4e..e0a61aa358 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -290,9 +290,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "select\0"
         },
         [SYSCALL_FILTER_SET_IPC] = {
-                /* Message queues, SYSV IPC or other IPC: unusual */
+                /* Message queues, SYSV IPC or other IPC */
                 .name = "@ipc",
                 .value = "ipc\0"
+                "memfd_create\0"
                 "mq_getsetattr\0"
                 "mq_notify\0"
                 "mq_open\0"
@@ -303,6 +304,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "msgget\0"
                 "msgrcv\0"
                 "msgsnd\0"
+                "pipe2\0"
+                "pipe\0"
                 "process_vm_readv\0"
                 "process_vm_writev\0"
                 "semctl\0"
author	Lennart Poettering <lennart@poettering.net>	2016-10-25 15:43:31 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-11-02 08:50:00 -0600
commit	cd5bfd7e60c08cfad41bcf881f550c424b2f3e44 (patch)
tree	e1ced1e692b4a0e625585a651bcf6bfc395a8ec7 /src
parent	a8c157ff3081ee963adb0d046015abf9a271fa67 (diff)