diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-08-17 17:53:25 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-08-22 14:17:23 +0200 |
commit | 4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4 (patch) | |
tree | 8efe7c12615a3a5ca0952f97ea30bd6b1424b1b6 /src/shared/seccomp-util.c | |
parent | mount-tool: return 0 instead of NULL in the acquire_description() (#4009) (diff) | |
download | systemd-4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4.tar.xz systemd-4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4.zip |
seccomp: make sure getrlimit() is among the default permitted syscalls
A lot of basic code wants to know the stack size, and it is safe if they do,
hence let's permit getrlimit() (but not setrlimit()) by default.
See: #3970
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r-- | src/shared/seccomp-util.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 8656d112b8..b549426e2b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = { "execve\0" "exit\0" "exit_group\0" + "getrlimit\0" /* make sure processes can query stack size and such */ "rt_sigreturn\0" "sigreturn\0" }, { |