From c79aff9a82abf361aea47b5c745ed9729c5f0212 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 25 Oct 2016 15:38:36 +0200
Subject: seccomp: add clock query and sleeping syscalls to "@default" group

Timing and sleep are so basic operations, it makes very little sense to ever
block them, hence don't.
---
 src/shared/seccomp-util.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 1cbbb9d757..ad5782fb29 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -253,15 +253,22 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sys_debug_setcontext\0"
         },
         [SYSCALL_FILTER_SET_DEFAULT] = {
-                /* Default list */
+                /* Default list: the most basic of operations */
                 .name = "@default",
                 .value =
+                "clock_getres\0"
+                "clock_gettime\0"
+                "clock_nanosleep\0"
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
                 "getrlimit\0"      /* make sure processes can query stack size and such */
+                "gettimeofday\0"
+                "nanosleep\0"
+                "pause\0"
                 "rt_sigreturn\0"
                 "sigreturn\0"
+                "time\0"
         },
         [SYSCALL_FILTER_SET_IO_EVENT] = {
                 /* Event loop use */
-- 
cgit v1.2.3-54-g00ecf