From 3adae2e04bfc86c689db1c07055c7c2767674dfa Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Tue, 3 Sep 2019 12:02:38 +0300 Subject: Revert changes in #2928 to seccomp group @default Reconstruct @default by not relying on the changed system call groups @privileged and @resources. --- src/fseccomp/syscall.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) (limited to 'src/fseccomp') diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { #endif }, { .name = "@default", .list = + "@clock," "@cpu-emulation," "@debug," + "@module," "@obsolete," - "@privileged," - "@resources," + "@raw-io," + "@reboot," + "@swap," #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif @@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_request_key "request_key," #endif +#ifdef SYS_mbind + "mbind," +#endif +#ifdef SYS_migrate_pages + "migrate_pages," +#endif +#ifdef SYS_move_pages + "move_pages," +#endif #ifdef SYS_keyctl "keyctl," #endif @@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_remap_file_pages "remap_file_pages," #endif +#ifdef SYS_set_mempolicy + "set_mempolicy" +#endif #ifdef SYS_vmsplice "vmsplice," #endif @@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_userfaultfd "userfaultfd," #endif +#ifdef SYS_acct + "acct," +#endif +#ifdef SYS_bpf + "bpf," +#endif +#ifdef SYS_chroot + "chroot," +#endif +#ifdef SYS_mount + "mount," +#endif +#ifdef SYS_nfsservctl + "nfsservctl," +#endif +#ifdef SYS_pivot_root + "pivot_root," +#endif +#ifdef SYS_setdomainname + "setdomainname," +#endif +#ifdef SYS_sethostname + "sethostname," +#endif +#ifdef SYS_umount2 + "umount2," +#endif +#ifdef SYS_vhangup + "vhangup" +#endif //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem // "mincore" //#endif -- cgit v1.2.3-54-g00ecf