From 4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 17 Aug 2016 17:53:25 +0200
Subject: seccomp: make sure getrlimit() is among the default permitted
 syscalls

A lot of basic code wants to know the stack size, and it is safe if they do,
hence let's permit getrlimit() (but not setrlimit()) by default.

See: #3970
---
 src/shared/seccomp-util.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d112b8..b549426e2b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
+                "getrlimit\0"      /* make sure processes can query stack size and such */
                 "rt_sigreturn\0"
                 "sigreturn\0"
         }, {
-- 
cgit v1.2.3-54-g00ecf