seccomp: move brk+mmap+mmap2 into @default syscall filter set

These three syscalls are internally used by libc's memory allocation logic, i.e. ultimately back malloc(). Allocating a bit of memory is so basic, it should just be in the default set. This fixes a couple of issues with asan/msan and the seccomp tests: when asan/msan is used some additional, large memory allocations take place in the background, and unless mmap/mmap2/brk are allowlisted these will fail, aborting the test prematurely. (cherry picked from commit 5abede3247591248718026cb8be6cd231de7728b)
author: Lennart Poettering <lennart@poettering.net> 2020-11-19 11:14:41 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2020-12-08 18:08:31 +0100
commit: 811f7fb15689002bc7e1b08f3462af253a4a1aa3 (patch)
tree: 0b4aab8d97c08f1dba545d4fd98e857f3c1570d9 /src/shared
parent: e30dee26662a56db355e0f74389313f943a824ac (diff)
download: systemd-811f7fb15689002bc7e1b08f3462af253a4a1aa3.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 3d0a6b4da9..023df468ae 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -257,6 +257,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "brk\0"
                 "cacheflush\0"
                 "clock_getres\0"
                 "clock_getres_time64\0"
@@ -294,6 +295,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "getuid\0"
                 "getuid32\0"
                 "membarrier\0"
+                "mmap\0"
+                "mmap2\0"
                 "nanosleep\0"
                 "pause\0"
                 "prlimit64\0"
@@ -444,8 +447,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "mkdirat\0"
                 "mknod\0"
                 "mknodat\0"
-                "mmap\0"
-                "mmap2\0"
                 "munmap\0"
                 "newfstatat\0"
                 "oldfstat\0"
@@ -819,7 +820,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "@signal\0"
                 "@sync\0"
                 "@timer\0"
-                "brk\0"
                 "capget\0"
                 "capset\0"
                 "copy_file_range\0"
author	Lennart Poettering <lennart@poettering.net>	2020-11-19 11:14:41 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2020-12-08 18:08:31 +0100
commit	811f7fb15689002bc7e1b08f3462af253a4a1aa3 (patch)
tree	0b4aab8d97c08f1dba545d4fd98e857f3c1570d9 /src/shared
parent	e30dee26662a56db355e0f74389313f943a824ac (diff)
download	systemd-811f7fb15689002bc7e1b08f3462af253a4a1aa3.tar.gz