Merge pull request #13975 from keszybz/more-seccomp-syscalls

Add more syscalls to the seccomp lists
Add @pkey syscall group
2019-11-09 23:27:34 +09:00 · 2019-11-08 14:41:22 +01:00 · 2019-11-08 14:40:49 +01:00
3 changed files with 30 additions and 3 deletions
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
                 * @cpu-emulation
                 * @keyring           (NB: keyring is not namespaced!)
                 * @obsolete
                 * @pkey
                 * @swap
                 *
                 * bpf                (NB: bpffs is not namespaced!)
@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
                 * nfsservctl
                 * open_by_handle_at
                 * perf_event_open
                 * pkey_alloc
                 * pkey_free
                 * pkey_mprotect
                 * quotactl
                 */
        };
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -258,12 +258,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .help = "System calls that are always permitted",
                .value =
                "clock_getres\0"
                "clock_getres_time64\0"
                "clock_gettime\0"
                "clock_gettime64\0"
                "clock_nanosleep\0"
                "clock_nanosleep_time64\0"
                "execve\0"
                "exit\0"
                "exit_group\0"
                "futex\0"
                "futex_time64\0"
                "get_robust_list\0"
                "get_thread_area\0"
                "getegid\0"
@ -312,6 +316,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "io_destroy\0"
                "io_getevents\0"
                "io_pgetevents\0"
                "io_pgetevents_time64\0"
                "io_setup\0"
                "io_submit\0"
                "io_uring_enter\0"
@ -357,7 +362,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .value =
                "adjtimex\0"
                "clock_adjtime\0"
                "clock_adjtime64\0"
                "clock_settime\0"
                "clock_settime64\0"
                "settimeofday\0"
                "stime\0"
        },
@ -465,6 +472,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "unlinkat\0"
                "utime\0"
                "utimensat\0"
                "utimensat_time64\0"
                "utimes\0"
        },
        [SYSCALL_FILTER_SET_IO_EVENT] = {
@ -483,7 +491,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "eventfd2\0"
                "poll\0"
                "ppoll\0"
                "ppoll_time64\0"
                "pselect6\0"
                "pselect6_time64\0"
                "select\0"
        },
        [SYSCALL_FILTER_SET_IPC] = {
@ -496,7 +506,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "mq_notify\0"
                "mq_open\0"
                "mq_timedreceive\0"
                "mq_timedreceive_time64\0"
                "mq_timedsend\0"
                "mq_timedsend_time64\0"
                "mq_unlink\0"
                "msgctl\0"
                "msgget\0"
@ -510,6 +522,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "semget\0"
                "semop\0"
                "semtimedop\0"
                "semtimedop_time64\0"
                "shmat\0"
                "shmctl\0"
                "shmdt\0"
@ -572,6 +585,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "recv\0"
                "recvfrom\0"
                "recvmmsg\0"
                "recvmmsg_time64\0"
                "recvmsg\0"
                "send\0"
                "sendmmsg\0"
@ -615,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "ustat\0"
                "vserver\0"
        },
        [SYSCALL_FILTER_SET_PKEY] = {
                .name = "@pkey",
                .help = "System calls used for memory protection keys",
                .value =
                "pkey_alloc\0"
                "pkey_free\0"
                "pkey_mprotect\0"
        },
        [SYSCALL_FILTER_SET_PRIVILEGED] = {
                .name = "@privileged",
                .help = "All system calls which need super-user capabilities",
@ -747,6 +769,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "rt_sigprocmask\0"
                "rt_sigsuspend\0"
                "rt_sigtimedwait\0"
                "rt_sigtimedwait_time64\0"
                "sigaction\0"
                "sigaltstack\0"
                "signal\0"
@ -826,6 +849,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "sched_getparam\0"
                "sched_getscheduler\0"
                "sched_rr_get_interval\0"
                "sched_rr_get_interval_time64\0"
                "sched_yield\0"
                "sendfile\0"
                "sendfile64\0"
@ -854,10 +878,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "timer_delete\0"
                "timer_getoverrun\0"
                "timer_gettime\0"
                "timer_gettime64\0"
                "timer_settime\0"
                "timer_settime64\0"
                "timerfd_create\0"
                "timerfd_gettime\0"
                "timerfd_gettime64\0"
                "timerfd_settime\0"
                "timerfd_settime64\0"
                "times\0"
        },
 };
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -38,6 +38,7 @@ enum {
        SYSCALL_FILTER_SET_MOUNT,
        SYSCALL_FILTER_SET_NETWORK_IO,
        SYSCALL_FILTER_SET_OBSOLETE,
        SYSCALL_FILTER_SET_PKEY,
        SYSCALL_FILTER_SET_PRIVILEGED,
        SYSCALL_FILTER_SET_PROCESS,
        SYSCALL_FILTER_SET_RAW_IO,