From f4f44a5f96c49aff62000f3a9802277152423534 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 17 Jul 2022 16:42:06 +0200 Subject: refresh syscall groups (#5188) now covers syscalls up to including process_madvise (440) group assignment was blindly copied from systemd: https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305 the only exception is close_range, which was added to both @basic-io and @file-system this commit adds the following syscalls to the default blacklist: pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree --- src/lib/syscall.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/syscall.c b/src/lib/syscall.c index a17f6423a..29cf6318f 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c @@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = { "io_setup," #endif #ifdef SYS_io_submit - "io_submit" + "io_submit," +#endif +#ifdef SYS_io_uring_enter + "io_uring_enter," +#endif +#ifdef SYS_io_uring_register + "io_uring_register," +#endif +#ifdef SYS_io_uring_setup + "io_uring_setup" #endif }, { .name = "@basic-io", .list = @@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_close "close," #endif +#ifdef SYS_close_range + "close_range," +#endif #ifdef SYS_dup "dup," #endif @@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_perf_event_open "perf_event_open," #endif +#ifdef SYS_pidfd_getfd + "pidfd_getfd," +#endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif @@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = { "remap_file_pages," #endif #ifdef SYS_set_mempolicy - "set_mempolicy" + "set_mempolicy," #endif #ifdef SYS_vmsplice "vmsplice," @@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_close "close," #endif +#ifdef SYS_close_range + "close_range," +#endif #ifdef SYS_creat "creat," #endif @@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_openat "openat," #endif +#ifdef SYS_openat2 + "openat2," +#endif #ifdef SYS_readlink "readlink," #endif @@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_pipe2 "pipe2," #endif +#ifdef SYS_process_madvise + "process_madvise," +#endif #ifdef SYS_process_vm_readv "process_vm_readv," #endif @@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_chroot "chroot," #endif +#ifdef SYS_fsconfig + "fsconfig," +#endif +#ifdef SYS_fsmount + "fsmount," +#endif +#ifdef SYS_fsopen + "fsopen," +#endif +#ifdef SYS_fspick + "fspick," +#endif #ifdef SYS_mount "mount," #endif +#ifdef SYS_move_mount + "move_mount," +#endif +#ifdef SYS_open_tree + "open_tree," +#endif #ifdef SYS_pivot_root "pivot_root," #endif @@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_clone "clone," #endif +#ifdef SYS_clone3 + "clone3," +#endif #ifdef SYS_execveat "execveat," #endif @@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_kill "kill," #endif +#ifdef SYS_pidfd_open + "pidfd_open," +#endif #ifdef SYS_pidfd_send_signal "pidfd_send_signal," #endif -- cgit v1.2.3-70-g09d2