| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2016-09-06 | nspawn: detect SECCOMP availability, skip audit filter if unavailable | Felipe Sateler | |
| Fail hard if SECCOMP was detected but could not be installed | |||
| 2016-07-22 | Use "return log_error_errno" in more places" | Zbigniew Jędrzejewski-Szmek | |
| 2016-06-13 | nspawn: lock down system call filter a bit | Lennart Poettering | |
| Let's block access to the kernel keyring and a number of obsolete system calls. Also, update list of syscalls that may alter the system clock, and do raw IO access. Filter ptrace() if CAP_SYS_PTRACE is not passed to the container and acct() if CAP_SYS_PACCT is not passed. This also changes things so that kexec(), some profiling calls, the swap calls and quotactl() is never available to containers, not even if CAP_SYS_ADMIN is passed. After all we currently permit CAP_SYS_ADMIN to containers by default, but these calls should not be available, even then. | |||
| 2016-05-26 | nspawn: split out seccomp call into nspawn-seccomp.[ch] | Djalal Harouni | |
| Split seccomp into nspawn-seccomp.[ch]. Currently there are no changes, but this will make it easy in the future to share or use the seccomp logic from systemd core. | |||
 |
index : ~lukeshu/systemd | |
| Unnamed repository; edit this file 'description' to name the repository. | git-mirror |
| summaryrefslogtreecommitdiff |