Compare commits

..

3 Commits

Author SHA1 Message Date
Yu Watanabe e64664cefe
Merge pull request #13975 from keszybz/more-seccomp-syscalls
Add more syscalls to the seccomp lists
2019-11-09 23:27:34 +09:00
Zbigniew Jędrzejewski-Szmek 9493b16871 Add @pkey syscall group
Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299.
This change doesn't solve the issue, but makes it easier to whitelist the
syscall group.
2019-11-08 14:41:22 +01:00
Zbigniew Jędrzejewski-Szmek 6ca6771069 seccomp: add all *time64 syscalls
From https://bugzilla.redhat.com/show_bug.cgi?id=1770154:
> utime is an obsolete system call. The current kernel interface is
> utimensat_time64. New 32-bit architectures do not even provide the utime
> system call.

Also add all other *time64 syscalls listed in
https://fedora.juszkiewicz.com.pl/syscalls.html.
2019-11-08 14:40:49 +01:00
3 changed files with 30 additions and 3 deletions

View File

@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
* @cpu-emulation * @cpu-emulation
* @keyring (NB: keyring is not namespaced!) * @keyring (NB: keyring is not namespaced!)
* @obsolete * @obsolete
* @pkey
* @swap * @swap
* *
* bpf (NB: bpffs is not namespaced!) * bpf (NB: bpffs is not namespaced!)
@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
* nfsservctl * nfsservctl
* open_by_handle_at * open_by_handle_at
* perf_event_open * perf_event_open
* pkey_alloc
* pkey_free
* pkey_mprotect
* quotactl * quotactl
*/ */
}; };

View File

@ -258,12 +258,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.help = "System calls that are always permitted", .help = "System calls that are always permitted",
.value = .value =
"clock_getres\0" "clock_getres\0"
"clock_getres_time64\0"
"clock_gettime\0" "clock_gettime\0"
"clock_gettime64\0"
"clock_nanosleep\0" "clock_nanosleep\0"
"clock_nanosleep_time64\0"
"execve\0" "execve\0"
"exit\0" "exit\0"
"exit_group\0" "exit_group\0"
"futex\0" "futex\0"
"futex_time64\0"
"get_robust_list\0" "get_robust_list\0"
"get_thread_area\0" "get_thread_area\0"
"getegid\0" "getegid\0"
@ -312,6 +316,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"io_destroy\0" "io_destroy\0"
"io_getevents\0" "io_getevents\0"
"io_pgetevents\0" "io_pgetevents\0"
"io_pgetevents_time64\0"
"io_setup\0" "io_setup\0"
"io_submit\0" "io_submit\0"
"io_uring_enter\0" "io_uring_enter\0"
@ -357,7 +362,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.value = .value =
"adjtimex\0" "adjtimex\0"
"clock_adjtime\0" "clock_adjtime\0"
"clock_adjtime64\0"
"clock_settime\0" "clock_settime\0"
"clock_settime64\0"
"settimeofday\0" "settimeofday\0"
"stime\0" "stime\0"
}, },
@ -465,6 +472,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"unlinkat\0" "unlinkat\0"
"utime\0" "utime\0"
"utimensat\0" "utimensat\0"
"utimensat_time64\0"
"utimes\0" "utimes\0"
}, },
[SYSCALL_FILTER_SET_IO_EVENT] = { [SYSCALL_FILTER_SET_IO_EVENT] = {
@ -483,7 +491,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"eventfd2\0" "eventfd2\0"
"poll\0" "poll\0"
"ppoll\0" "ppoll\0"
"ppoll_time64\0"
"pselect6\0" "pselect6\0"
"pselect6_time64\0"
"select\0" "select\0"
}, },
[SYSCALL_FILTER_SET_IPC] = { [SYSCALL_FILTER_SET_IPC] = {
@ -496,7 +506,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"mq_notify\0" "mq_notify\0"
"mq_open\0" "mq_open\0"
"mq_timedreceive\0" "mq_timedreceive\0"
"mq_timedreceive_time64\0"
"mq_timedsend\0" "mq_timedsend\0"
"mq_timedsend_time64\0"
"mq_unlink\0" "mq_unlink\0"
"msgctl\0" "msgctl\0"
"msgget\0" "msgget\0"
@ -510,6 +522,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"semget\0" "semget\0"
"semop\0" "semop\0"
"semtimedop\0" "semtimedop\0"
"semtimedop_time64\0"
"shmat\0" "shmat\0"
"shmctl\0" "shmctl\0"
"shmdt\0" "shmdt\0"
@ -572,6 +585,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"recv\0" "recv\0"
"recvfrom\0" "recvfrom\0"
"recvmmsg\0" "recvmmsg\0"
"recvmmsg_time64\0"
"recvmsg\0" "recvmsg\0"
"send\0" "send\0"
"sendmmsg\0" "sendmmsg\0"
@ -615,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"ustat\0" "ustat\0"
"vserver\0" "vserver\0"
}, },
[SYSCALL_FILTER_SET_PKEY] = {
.name = "@pkey",
.help = "System calls used for memory protection keys",
.value =
"pkey_alloc\0"
"pkey_free\0"
"pkey_mprotect\0"
},
[SYSCALL_FILTER_SET_PRIVILEGED] = { [SYSCALL_FILTER_SET_PRIVILEGED] = {
.name = "@privileged", .name = "@privileged",
.help = "All system calls which need super-user capabilities", .help = "All system calls which need super-user capabilities",
@ -747,6 +769,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"rt_sigprocmask\0" "rt_sigprocmask\0"
"rt_sigsuspend\0" "rt_sigsuspend\0"
"rt_sigtimedwait\0" "rt_sigtimedwait\0"
"rt_sigtimedwait_time64\0"
"sigaction\0" "sigaction\0"
"sigaltstack\0" "sigaltstack\0"
"signal\0" "signal\0"
@ -826,6 +849,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"sched_getparam\0" "sched_getparam\0"
"sched_getscheduler\0" "sched_getscheduler\0"
"sched_rr_get_interval\0" "sched_rr_get_interval\0"
"sched_rr_get_interval_time64\0"
"sched_yield\0" "sched_yield\0"
"sendfile\0" "sendfile\0"
"sendfile64\0" "sendfile64\0"
@ -854,10 +878,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"timer_delete\0" "timer_delete\0"
"timer_getoverrun\0" "timer_getoverrun\0"
"timer_gettime\0" "timer_gettime\0"
"timer_gettime64\0"
"timer_settime\0" "timer_settime\0"
"timer_settime64\0"
"timerfd_create\0" "timerfd_create\0"
"timerfd_gettime\0" "timerfd_gettime\0"
"timerfd_gettime64\0"
"timerfd_settime\0" "timerfd_settime\0"
"timerfd_settime64\0"
"times\0" "times\0"
}, },
}; };

View File

@ -38,6 +38,7 @@ enum {
SYSCALL_FILTER_SET_MOUNT, SYSCALL_FILTER_SET_MOUNT,
SYSCALL_FILTER_SET_NETWORK_IO, SYSCALL_FILTER_SET_NETWORK_IO,
SYSCALL_FILTER_SET_OBSOLETE, SYSCALL_FILTER_SET_OBSOLETE,
SYSCALL_FILTER_SET_PKEY,
SYSCALL_FILTER_SET_PRIVILEGED, SYSCALL_FILTER_SET_PRIVILEGED,
SYSCALL_FILTER_SET_PROCESS, SYSCALL_FILTER_SET_PROCESS,
SYSCALL_FILTER_SET_RAW_IO, SYSCALL_FILTER_SET_RAW_IO,