diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/seccomp-util.c | 36 | ||||
-rw-r--r-- | src/shared/seccomp-util.h | 3 |
2 files changed, 20 insertions, 19 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c9b24f1065..325dcc866e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -217,6 +217,24 @@ bool is_seccomp_available(void) { } const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + [SYSCALL_FILTER_SET_DEFAULT] = { + /* Default list: the most basic of operations */ + .name = "@default", + .value = + "clock_getres\0" + "clock_gettime\0" + "clock_nanosleep\0" + "execve\0" + "exit\0" + "exit_group\0" + "getrlimit\0" /* make sure processes can query stack size and such */ + "gettimeofday\0" + "nanosleep\0" + "pause\0" + "rt_sigreturn\0" + "sigreturn\0" + "time\0" + }, [SYSCALL_FILTER_SET_BASIC_IO] = { /* Basic IO */ .name = "@basic-io", @@ -270,24 +288,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { #endif "sys_debug_setcontext\0" }, - [SYSCALL_FILTER_SET_DEFAULT] = { - /* Default list: the most basic of operations */ - .name = "@default", - .value = - "clock_getres\0" - "clock_gettime\0" - "clock_nanosleep\0" - "execve\0" - "exit\0" - "exit_group\0" - "getrlimit\0" /* make sure processes can query stack size and such */ - "gettimeofday\0" - "nanosleep\0" - "pause\0" - "rt_sigreturn\0" - "sigreturn\0" - "time\0" - }, [SYSCALL_FILTER_SET_IO_EVENT] = { /* Event loop use */ .name = "@io-event", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 8e209efef2..ce7417b0ba 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,11 +38,12 @@ typedef struct SyscallFilterSet { } SyscallFilterSet; enum { + /* Please leave DEFAULT first, but sort the rest alphabetically */ + SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, - SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_IPC, SYSCALL_FILTER_SET_KEYRING, |