Add seccomp and rules imported from xdg-app/Sandstorm.io

seccomp is disabled by default for backwards compatibility. This "v0" version is a basic blacklist that turns off some of the known historical attack surface, initially imported from xdg-app. I added a note about code sharing - we should share rules among container implementations.
author: Colin Walters <walters@verbum.org> 2015-08-28 08:47:33 -0400
committer: Colin Walters <walters@verbum.org> 2015-08-28 09:15:11 -0400
commit: 8cee4ab7345f126d1dec55b7ca1f28e8090a58d3 (patch)
tree: b2c60c914d3202f6ccf2bc6b8553af15cba25ed8 /Makefile-user-chroot.am
parent: 99a02e4114b06edf6c03fcc01e09c137f1fc67dd (diff)
download: linux-user-chroot-8cee4ab7345f126d1dec55b7ca1f28e8090a58d3.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/Makefile-user-chroot.am b/Makefile-user-chroot.am
index 32db975..66f8eb4 100644
--- a/Makefile-user-chroot.am
+++ b/Makefile-user-chroot.am
@@ -17,9 +17,13 @@
 
 bin_PROGRAMS += linux-user-chroot
 
-linux_user_chroot_SOURCES = src/linux-user-chroot.c
+linux_user_chroot_SOURCES = \
+	src/setup-seccomp.c \
+	src/linux-user-chroot.c \
+	$(NULL)
 
-linux_user_chroot_CFLAGS = $(AM_CFLAGS)
+linux_user_chroot_CFLAGS = $(AM_CFLAGS) $(LIBSECCOMP_CFLAGS)
+linux_user_chroot_LDFLAGS = $(LIBSECCOMP_LIBS)
 
 if BUILD_NEWNET_HELPER
 bin_PROGRAMS += linux-user-chroot-newnet
author	Colin Walters <walters@verbum.org>	2015-08-28 08:47:33 -0400
committer	Colin Walters <walters@verbum.org>	2015-08-28 09:15:11 -0400
commit	8cee4ab7345f126d1dec55b7ca1f28e8090a58d3 (patch)
tree	b2c60c914d3202f6ccf2bc6b8553af15cba25ed8 /Makefile-user-chroot.am
parent	99a02e4114b06edf6c03fcc01e09c137f1fc67dd (diff)
download	linux-user-chroot-8cee4ab7345f126d1dec55b7ca1f28e8090a58d3.tar.gz