diff options
| author | Lennart Poettering <lennart@poettering.net> | 2015-05-21 20:48:39 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-05-21 20:49:24 +0200 |
| commit | 5ba7a26847846322740c02b9b469f42ea4c3f105 (patch) | |
| tree | 4377ddf8124b0b6adf303149ff2b04b41fee4fed | |
| parent | 4c6d20dece1da97c31cd88ddebc007bf33204b82 (diff) | |
| download | systemd-5ba7a26847846322740c02b9b469f42ea4c3f105.tar.gz | |
nspawn: prohibit access to the kernel log buffer by default
Unless CAP_SYSLOG is explicitly passed block all access to kmg
| -rw-r--r-- | src/nspawn/nspawn.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 73f292e284..500936387f 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2932,15 +2932,16 @@ static int setup_seccomp(void) { uint64_t capability; int syscall_num; } blacklist[] = { - { CAP_SYS_RAWIO, SCMP_SYS(iopl)}, - { CAP_SYS_RAWIO, SCMP_SYS(ioperm)}, - { CAP_SYS_BOOT, SCMP_SYS(kexec_load)}, - { CAP_SYS_ADMIN, SCMP_SYS(swapon)}, - { CAP_SYS_ADMIN, SCMP_SYS(swapoff)}, - { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at)}, - { CAP_SYS_MODULE, SCMP_SYS(init_module)}, - { CAP_SYS_MODULE, SCMP_SYS(finit_module)}, - { CAP_SYS_MODULE, SCMP_SYS(delete_module)}, + { CAP_SYS_RAWIO, SCMP_SYS(iopl) }, + { CAP_SYS_RAWIO, SCMP_SYS(ioperm) }, + { CAP_SYS_BOOT, SCMP_SYS(kexec_load) }, + { CAP_SYS_ADMIN, SCMP_SYS(swapon) }, + { CAP_SYS_ADMIN, SCMP_SYS(swapoff) }, + { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) }, + { CAP_SYS_MODULE, SCMP_SYS(init_module) }, + { CAP_SYS_MODULE, SCMP_SYS(finit_module) }, + { CAP_SYS_MODULE, SCMP_SYS(delete_module) }, + { CAP_SYSLOG, SCMP_SYS(syslog) }, }; scmp_filter_ctx seccomp; |