mirror of
https://github.com/systemd/systemd
synced 2024-10-02 22:37:25 +00:00
Zbigniew Jędrzejewski-Szmek
parent
10b89c59dc
commit
d70eaf3067
|
|
@ -33,90 +33,90 @@ static int add_syscall_filters(
|
|||
const char* name;
|
||||
} allow_list[] = {
|
||||
/* Let's use set names where we can */
|
||||
{ 0, "@aio" },
|
||||
{ 0, "@basic-io" },
|
||||
{ 0, "@chown" },
|
||||
{ 0, "@default" },
|
||||
{ 0, "@file-system" },
|
||||
{ 0, "@io-event" },
|
||||
{ 0, "@ipc" },
|
||||
{ 0, "@mount" },
|
||||
{ 0, "@network-io" },
|
||||
{ 0, "@process" },
|
||||
{ 0, "@resources" },
|
||||
{ 0, "@setuid" },
|
||||
{ 0, "@signal" },
|
||||
{ 0, "@sync" },
|
||||
{ 0, "@timer" },
|
||||
{ 0, "@aio" },
|
||||
{ 0, "@basic-io" },
|
||||
{ 0, "@chown" },
|
||||
{ 0, "@default" },
|
||||
{ 0, "@file-system" },
|
||||
{ 0, "@io-event" },
|
||||
{ 0, "@ipc" },
|
||||
{ 0, "@mount" },
|
||||
{ 0, "@network-io" },
|
||||
{ 0, "@process" },
|
||||
{ 0, "@resources" },
|
||||
{ 0, "@setuid" },
|
||||
{ 0, "@signal" },
|
||||
{ 0, "@sync" },
|
||||
{ 0, "@timer" },
|
||||
|
||||
/* The following four are sets we optionally enable, in case the caps have been configured for it */
|
||||
{ CAP_SYS_TIME, "@clock" },
|
||||
{ CAP_SYS_MODULE, "@module" },
|
||||
{ CAP_SYS_RAWIO, "@raw-io" },
|
||||
{ CAP_IPC_LOCK, "@memlock" },
|
||||
/* The following four are sets we optionally enable, n case the caps have been configured for it */
|
||||
{ CAP_SYS_TIME, "@clock" },
|
||||
{ CAP_SYS_MODULE, "@module" },
|
||||
{ CAP_SYS_RAWIO, "@raw-io" },
|
||||
{ CAP_IPC_LOCK, "@memlock" },
|
||||
|
||||
/* Plus a good set of additional syscalls which are not part of any of the groups above */
|
||||
{ 0, "brk" },
|
||||
{ 0, "capget" },
|
||||
{ 0, "capset" },
|
||||
{ 0, "copy_file_range" },
|
||||
{ 0, "fadvise64" },
|
||||
{ 0, "fadvise64_64" },
|
||||
{ 0, "flock" },
|
||||
{ 0, "get_mempolicy" },
|
||||
{ 0, "getcpu" },
|
||||
{ 0, "getpriority" },
|
||||
{ 0, "getrandom" },
|
||||
{ 0, "ioctl" },
|
||||
{ 0, "ioprio_get" },
|
||||
{ 0, "kcmp" },
|
||||
{ 0, "madvise" },
|
||||
{ 0, "mincore" },
|
||||
{ 0, "mprotect" },
|
||||
{ 0, "mremap" },
|
||||
{ 0, "name_to_handle_at" },
|
||||
{ 0, "oldolduname" },
|
||||
{ 0, "olduname" },
|
||||
{ 0, "personality" },
|
||||
{ 0, "readahead" },
|
||||
{ 0, "readdir" },
|
||||
{ 0, "remap_file_pages" },
|
||||
{ 0, "sched_get_priority_max" },
|
||||
{ 0, "sched_get_priority_min" },
|
||||
{ 0, "sched_getaffinity" },
|
||||
{ 0, "sched_getattr" },
|
||||
{ 0, "sched_getparam" },
|
||||
{ 0, "sched_getscheduler" },
|
||||
{ 0, "sched_rr_get_interval" },
|
||||
{ 0, "brk" },
|
||||
{ 0, "capget" },
|
||||
{ 0, "capset" },
|
||||
{ 0, "copy_file_range" },
|
||||
{ 0, "fadvise64" },
|
||||
{ 0, "fadvise64_64" },
|
||||
{ 0, "flock" },
|
||||
{ 0, "get_mempolicy" },
|
||||
{ 0, "getcpu" },
|
||||
{ 0, "getpriority" },
|
||||
{ 0, "getrandom" },
|
||||
{ 0, "ioctl" },
|
||||
{ 0, "ioprio_get" },
|
||||
{ 0, "kcmp" },
|
||||
{ 0, "madvise" },
|
||||
{ 0, "mincore" },
|
||||
{ 0, "mprotect" },
|
||||
{ 0, "mremap" },
|
||||
{ 0, "name_to_handle_at" },
|
||||
{ 0, "oldolduname" },
|
||||
{ 0, "olduname" },
|
||||
{ 0, "personality" },
|
||||
{ 0, "readahead" },
|
||||
{ 0, "readdir" },
|
||||
{ 0, "remap_file_pages" },
|
||||
{ 0, "sched_get_priority_max" },
|
||||
{ 0, "sched_get_priority_min" },
|
||||
{ 0, "sched_getaffinity" },
|
||||
{ 0, "sched_getattr" },
|
||||
{ 0, "sched_getparam" },
|
||||
{ 0, "sched_getscheduler" },
|
||||
{ 0, "sched_rr_get_interval" },
|
||||
{ 0, "sched_rr_get_interval_time64" },
|
||||
{ 0, "sched_yield" },
|
||||
{ 0, "seccomp" },
|
||||
{ 0, "sendfile" },
|
||||
{ 0, "sendfile64" },
|
||||
{ 0, "setdomainname" },
|
||||
{ 0, "setfsgid" },
|
||||
{ 0, "setfsgid32" },
|
||||
{ 0, "setfsuid" },
|
||||
{ 0, "setfsuid32" },
|
||||
{ 0, "sethostname" },
|
||||
{ 0, "setpgid" },
|
||||
{ 0, "setsid" },
|
||||
{ 0, "splice" },
|
||||
{ 0, "sysinfo" },
|
||||
{ 0, "tee" },
|
||||
{ 0, "umask" },
|
||||
{ 0, "uname" },
|
||||
{ 0, "userfaultfd" },
|
||||
{ 0, "vmsplice" },
|
||||
{ 0, "sched_yield" },
|
||||
{ 0, "seccomp" },
|
||||
{ 0, "sendfile" },
|
||||
{ 0, "sendfile64" },
|
||||
{ 0, "setdomainname" },
|
||||
{ 0, "setfsgid" },
|
||||
{ 0, "setfsgid32" },
|
||||
{ 0, "setfsuid" },
|
||||
{ 0, "setfsuid32" },
|
||||
{ 0, "sethostname" },
|
||||
{ 0, "setpgid" },
|
||||
{ 0, "setsid" },
|
||||
{ 0, "splice" },
|
||||
{ 0, "sysinfo" },
|
||||
{ 0, "tee" },
|
||||
{ 0, "umask" },
|
||||
{ 0, "uname" },
|
||||
{ 0, "userfaultfd" },
|
||||
{ 0, "vmsplice" },
|
||||
|
||||
/* The following individual syscalls are added depending on specified caps */
|
||||
{ CAP_SYS_PACCT, "acct" },
|
||||
{ CAP_SYS_PTRACE, "process_vm_readv" },
|
||||
{ CAP_SYS_PTRACE, "process_vm_writev" },
|
||||
{ CAP_SYS_PTRACE, "ptrace" },
|
||||
{ CAP_SYS_BOOT, "reboot" },
|
||||
{ CAP_SYSLOG, "syslog" },
|
||||
{ CAP_SYS_TTY_CONFIG, "vhangup" },
|
||||
{ CAP_SYS_PACCT, "acct" },
|
||||
{ CAP_SYS_PTRACE, "process_vm_readv" },
|
||||
{ CAP_SYS_PTRACE, "process_vm_writev" },
|
||||
{ CAP_SYS_PTRACE, "ptrace" },
|
||||
{ CAP_SYS_BOOT, "reboot" },
|
||||
{ CAP_SYSLOG, "syslog" },
|
||||
{ CAP_SYS_TTY_CONFIG, "vhangup" },
|
||||
|
||||
/*
|
||||
* The following syscalls and groups are knowingly excluded:
|
||||
|
|
|
|||
Loading…
Reference in a new issue