From 201c1cc22a41df1f4ef7706bde41e2536bef433f Mon Sep 17 00:00:00 2001
From: Topi Miettinen <topimiettinen@users.noreply.github.com>
Date: Wed, 1 Jun 2016 09:56:01 +0000
Subject: core: add pre-defined syscall groups to SystemCallFilter= (#3053)
 (#3157)

Implement sets of system calls to help constructing system call
filters. A set starts with '@' to distinguish from a system call.

Closes: #3053, #3157
---
 man/systemd.exec.xml | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 72 insertions(+), 1 deletion(-)

(limited to 'man')

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4d52982b64..58f18f3a9e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1193,7 +1193,78 @@
         <function>read</function> and <function>write</function>, and
         right after it add a blacklisting of
         <function>write</function>, then <function>write</function>
-        will be removed from the set.) </para></listitem>
+        will be removed from the set.)</para>
+
+        <para>As the number of possible system
+        calls is large, predefined sets of system calls are provided.
+        A set starts with <literal>@</literal> character, followed by
+        name of the set.
+
+        <table>
+          <title>Currently predefined system call sets</title>
+
+          <tgroup cols='2'>
+            <colspec colname='set' />
+            <colspec colname='description' />
+            <thead>
+              <row>
+                <entry>Set</entry>
+                <entry>Description</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>@clock</entry>
+                <entry>System calls for changing the system clock (<function>adjtimex()</function>,
+                <function>settimeofday()</function>)</entry>
+              </row>
+              <row>
+                <entry>@io-event</entry>
+                <entry>Event loop use (<function>poll()</function>, <function>select()</function>,
+                <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <function>eventfd()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@ipc</entry>
+                <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+              </row>
+              <row>
+                <entry>@module</entry>
+                <entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@mount</entry>
+                <entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@network-io</entry>
+                <entry>Socket I/O (including local AF_UNIX):
+                <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
+              </row>
+              <row>
+                <entry>@obsolete</entry>
+                <entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@privileged</entry>
+                <entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+              </row>
+              <row>
+                <entry>@process</entry>
+                <entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
+              </row>
+              <row>
+                <entry>@raw-io</entry>
+                <entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+
+        Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
+        above, so the contents of the sets may change between systemd versions.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-- 
cgit v1.2.3-54-g00ecf