diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-03-24 11:15:21 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-03-24 12:27:23 +0100 |
| commit | d12632a86103b5f9ff1ce61977661ad0c1e8a018 (patch) | |
| tree | c67e6822883d2d676219bf705f879de93a53677a /src/shared/seccomp-util.c | |
| parent | aadbd81f7ffbc313d0541c15455211dddeedbfde (diff) | |
| download | systemd-d12632a86103b5f9ff1ce61977661ad0c1e8a018.tar.gz | |
seccomp-util: add new @sandbox syscall group with landlock/seccomp
Let's group these 4 syscalls, as they offer similar things and I guess
might be used in conjunction quite often, as they offer unprivileged
sandboxing.
Fixes: #26913
Diffstat (limited to 'src/shared/seccomp-util.c')
| -rw-r--r-- | src/shared/seccomp-util.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 8ece7f163f..a855f34602 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -800,6 +800,15 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "setpriority\0" "setrlimit\0" }, + [SYSCALL_FILTER_SET_SANDBOX] = { + .name = "@sandbox", + .help = "Sandbox functionality", + .value = + "landlock_add_rule\0" + "landlock_create_ruleset\0" + "landlock_restrict_self\0" + "seccomp\0" + }, [SYSCALL_FILTER_SET_SETUID] = { .name = "@setuid", .help = "Operations for changing user/group credentials", |