summaryrefslogtreecommitdiff
path: root/src/shared
diff options
context:
space:
mode:
Diffstat (limited to 'src/shared')
-rw-r--r--src/shared/bus-unit-util.c6
-rw-r--r--src/shared/seccomp-util.c216
-rw-r--r--src/shared/seccomp-util.h7
3 files changed, 226 insertions, 3 deletions
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index 502e98d9dc..8f4f93ee0c 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -158,7 +158,7 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
"SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies",
"IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit",
"PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges",
- "SyslogLevelPrefix", "Delegate", "RemainAfterElapse")) {
+ "SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute")) {
r = parse_boolean(eq);
if (r < 0)
@@ -169,7 +169,7 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
} else if (STR_IN_SET(field, "MemoryLow", "MemoryHigh", "MemoryMax", "MemoryLimit")) {
uint64_t bytes;
- if (isempty(eq) || streq(eq, "max") || streq(eq, "infinity"))
+ if (isempty(eq) || streq(eq, "infinity"))
bytes = CGROUP_LIMIT_MAX;
else {
r = parse_size(eq, 1024, &bytes);
@@ -306,7 +306,7 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
return -EINVAL;
}
- if (streq(bandwidth, "max")) {
+ if (streq(bandwidth, "infinity")) {
bytes = CGROUP_LIMIT_MAX;
} else {
r = parse_size(bandwidth, 1000, &bytes);
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index cebe0fce2a..30d22d2242 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -88,3 +88,219 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
return 0;
}
+
+const SystemCallFilterSet syscall_filter_sets[] = {
+ {
+ /* Clock */
+ .set_name = "@clock",
+ .value =
+ "adjtimex\0"
+ "settimeofday\0"
+ }, {
+ /* Default list */
+ .set_name = "@default",
+ .value =
+ "execve\0"
+ "exit\0"
+ "exit_group\0"
+ "rt_sigreturn\0"
+ "sigreturn\0"
+ }, {
+ /* Event loop use */
+ .set_name = "@io-event",
+ .value =
+ "_newselect\0"
+ "epoll_create1\0"
+ "epoll_create\0"
+ "epoll_ctl\0"
+ "epoll_ctl_old\0"
+ "epoll_pwait\0"
+ "epoll_wait\0"
+ "epoll_wait_old\0"
+ "eventfd2\0"
+ "eventfd\0"
+ "poll\0"
+ "ppoll\0"
+ "pselect6\0"
+ "select\0"
+ }, {
+ /* Message queues, SYSV IPC or other IPC: unusual */
+ .set_name = "@ipc",
+ .value = "ipc\0"
+ "mq_getsetattr\0"
+ "mq_notify\0"
+ "mq_open\0"
+ "mq_timedreceive\0"
+ "mq_timedsend\0"
+ "mq_unlink\0"
+ "msgctl\0"
+ "msgget\0"
+ "msgrcv\0"
+ "msgsnd\0"
+ "process_vm_readv\0"
+ "process_vm_writev\0"
+ "semctl\0"
+ "semget\0"
+ "semop\0"
+ "semtimedop\0"
+ "shmat\0"
+ "shmctl\0"
+ "shmdt\0"
+ "shmget\0"
+ }, {
+ /* Kernel module control */
+ .set_name = "@module",
+ .value =
+ "create_module\0"
+ "delete_module\0"
+ "finit_module\0"
+ "init_module\0"
+ }, {
+ /* Mounting */
+ .set_name = "@mount",
+ .value =
+ "chroot\0"
+ "mount\0"
+ "oldumount\0"
+ "pivot_root\0"
+ "umount2\0"
+ "umount\0"
+ }, {
+ /* Network or Unix socket IO, should not be needed if not network facing */
+ .set_name = "@network-io",
+ .value =
+ "accept4\0"
+ "accept\0"
+ "bind\0"
+ "connect\0"
+ "getpeername\0"
+ "getsockname\0"
+ "getsockopt\0"
+ "listen\0"
+ "recv\0"
+ "recvfrom\0"
+ "recvmmsg\0"
+ "recvmsg\0"
+ "send\0"
+ "sendmmsg\0"
+ "sendmsg\0"
+ "sendto\0"
+ "setsockopt\0"
+ "shutdown\0"
+ "socket\0"
+ "socketcall\0"
+ "socketpair\0"
+ }, {
+ /* Unusual, obsolete or unimplemented, some unknown even to libseccomp */
+ .set_name = "@obsolete",
+ .value =
+ "_sysctl\0"
+ "afs_syscall\0"
+ "break\0"
+ "fattach\0"
+ "fdetach\0"
+ "ftime\0"
+ "get_kernel_syms\0"
+ "get_mempolicy\0"
+ "getmsg\0"
+ "getpmsg\0"
+ "gtty\0"
+ "isastream\0"
+ "lock\0"
+ "madvise1\0"
+ "modify_ldt\0"
+ "mpx\0"
+ "pciconfig_iobase\0"
+ "perf_event_open\0"
+ "prof\0"
+ "profil\0"
+ "putmsg\0"
+ "putpmsg\0"
+ "query_module\0"
+ "rtas\0"
+ "s390_runtime_instr\0"
+ "security\0"
+ "sgetmask\0"
+ "ssetmask\0"
+ "stty\0"
+ "subpage_prot\0"
+ "switch_endian\0"
+ "sys_debug_setcontext\0"
+ "tuxcall\0"
+ "ulimit\0"
+ "uselib\0"
+ "vm86\0"
+ "vm86old\0"
+ "vserver\0"
+ }, {
+ /* Nice grab-bag of all system calls which need superuser capabilities */
+ .set_name = "@privileged",
+ .value =
+ "@clock\0"
+ "@module\0"
+ "@raw-io\0"
+ "acct\0"
+ "bdflush\0"
+ "bpf\0"
+ "chown32\0"
+ "chown\0"
+ "chroot\0"
+ "fchown32\0"
+ "fchown\0"
+ "fchownat\0"
+ "kexec_file_load\0"
+ "kexec_load\0"
+ "lchown32\0"
+ "lchown\0"
+ "nfsservctl\0"
+ "pivot_root\0"
+ "quotactl\0"
+ "reboot\0"
+ "setdomainname\0"
+ "setfsuid32\0"
+ "setfsuid\0"
+ "setgroups32\0"
+ "setgroups\0"
+ "sethostname\0"
+ "setresuid32\0"
+ "setresuid\0"
+ "setreuid32\0"
+ "setreuid\0"
+ "setuid32\0"
+ "setuid\0"
+ "stime\0"
+ "swapoff\0"
+ "swapon\0"
+ "sysctl\0"
+ "vhangup\0"
+ }, {
+ /* Process control, execution, namespaces */
+ .set_name = "@process",
+ .value =
+ "arch_prctl\0"
+ "clone\0"
+ "execve\0"
+ "execveat\0"
+ "fork\0"
+ "kill\0"
+ "prctl\0"
+ "setns\0"
+ "tgkill\0"
+ "tkill\0"
+ "unshare\0"
+ "vfork\0"
+ }, {
+ /* Raw I/O ports */
+ .set_name = "@raw-io",
+ .value =
+ "ioperm\0"
+ "iopl\0"
+ "pciconfig_read\0"
+ "pciconfig_write\0"
+ "s390_pci_mmio_read\0"
+ "s390_pci_mmio_write\0"
+ }, {
+ .set_name = NULL,
+ .value = NULL
+ }
+};
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4ed2afc1b2..be33eecb85 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -26,3 +26,10 @@ const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);
int seccomp_add_secondary_archs(scmp_filter_ctx *c);
+
+typedef struct SystemCallFilterSet {
+ const char *set_name;
+ const char *value;
+} SystemCallFilterSet;
+
+extern const SystemCallFilterSet syscall_filter_sets[];