Merge pull request #12133 from poettering/rseq-whitelist

whitelist rseq() system call in `@default` syscall group
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-03-29 14:59:00 +01:00 committed by GitHub
commit 2818ddc8f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 4 deletions

6
TODO
View File

@ -23,6 +23,12 @@ Janitorial Clean-ups:
Features:
* tweak journald context caching. In addition to caching per-process attributes
keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
keyed by cgroup path, and guarded by ctime changes. This should provide us
with a nice speed-up on services that have many processes running in the same
cgroup.
* clean up sleep.c:
- Use CLOCK_BOOTTIME_ALARM for waking up s2h instead of RTC ioctls
- Parse sleep.conf only once, and parse its whole contents so that we don't

View File

@ -2695,7 +2695,9 @@ int config_parse_syscall_filter(
c->syscall_whitelist = true;
/* Accept default syscalls if we are on a whitelist */
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
r = seccomp_parse_syscall_filter(
"@default", -1, c->syscall_filter,
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
if (r < 0)
return r;
}
@ -2722,9 +2724,12 @@ int config_parse_syscall_filter(
continue;
}
r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
unit, filename, line);
r = seccomp_parse_syscall_filter_full(
name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
(invert ? SECCOMP_PARSE_INVERT : 0)|
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
unit, filename, line);
if (r < 0)
return r;
}

View File

@ -291,6 +291,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"pause\0"
"prlimit64\0"
"restart_syscall\0"
"rseq\0"
"rt_sigreturn\0"
"sched_yield\0"
"set_robust_list\0"