diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-01-07 15:23:55 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-01-07 17:34:17 +0100 |
commit | 5f02870a74aa3a758115cc9bd6d68f239caf8453 (patch) | |
tree | d522c84201a488195ff72efa39a385ac55bfc5e4 /src/shared/seccomp-util.c | |
parent | 921e1bae16fbba1e3f40e0506cc23caa3ddc02d1 (diff) | |
download | systemd-5f02870a74aa3a758115cc9bd6d68f239caf8453.tar.gz |
seccomp: move arch_prctl to @default
It was reported as used by the linker:
> [It is] called in the setup of ld-linux-x86-64.so.2 from _dl_sysdep_start.
> My local call stack (with LTO):
>
> #0 init_cpu_features.constprop.0 (/usr/lib64/ld-linux-x86-64.so.2)
> #1 _dl_sysdep_start (/usr/lib64/ld-linux-x86-64.so.2)
> #2 _dl_start (/usr/lib64/ld-linux-x86-64.so.2)
> #3 _start (/usr/lib64/ld-linux-x86-64.so.2)
>
> Looking through the source, I think it's this (links for glibc 2.34):
> - First dl_platform_init calls _dl_x86_init_cpu_features, a wrapper for init_cpu_features.
> - Then init_cpu_features calls get_cet_status.
> - At last, get_cet_status invokes arch_prctl.
Fixes #22033.
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r-- | src/shared/seccomp-util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index b70ad1f7ea..32bd8aa73b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -286,6 +286,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@default", .help = "System calls that are always permitted", .value = + "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ "brk\0" "cacheflush\0" "clock_getres\0" @@ -715,7 +716,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@process", .help = "Process control, execution, namespacing operations", .value = - "arch_prctl\0" "capget\0" /* Able to query arbitrary processes */ "clone\0" "clone3\0" |