diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-11-19 11:14:41 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-11-19 16:44:50 +0100 |
commit | 5abede3247591248718026cb8be6cd231de7728b (patch) | |
tree | 69335003eb7e0802cf8c93bb9c8e12d45a455d89 /src/shared/seccomp-util.c | |
parent | bca0618705d01ccac84523f4ddfe293fc1d44f66 (diff) | |
download | systemd-5abede3247591248718026cb8be6cd231de7728b.tar.gz |
seccomp: move brk+mmap+mmap2 into @default syscall filter set
These three syscalls are internally used by libc's memory allocation
logic, i.e. ultimately back malloc(). Allocating a bit of memory is so
basic, it should just be in the default set.
This fixes a couple of issues with asan/msan and the seccomp tests: when
asan/msan is used some additional, large memory allocations take place
in the background, and unless mmap/mmap2/brk are allowlisted these will
fail, aborting the test prematurely.
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r-- | src/shared/seccomp-util.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 6ca2c5713d..c02035c80f 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -282,6 +282,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@default", .help = "System calls that are always permitted", .value = + "brk\0" "cacheflush\0" "clock_getres\0" "clock_getres_time64\0" @@ -319,6 +320,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "getuid\0" "getuid32\0" "membarrier\0" + "mmap\0" + "mmap2\0" "nanosleep\0" "pause\0" "prlimit64\0" @@ -468,8 +471,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "mkdirat\0" "mknod\0" "mknodat\0" - "mmap\0" - "mmap2\0" "munmap\0" "newfstatat\0" "oldfstat\0" @@ -844,7 +845,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "@signal\0" "@sync\0" "@timer\0" - "brk\0" "capget\0" "capset\0" "copy_file_range\0" |