summaryrefslogtreecommitdiffstats
path: root/src/shared/seccomp-util.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-08-17 17:53:25 +0200
committerLennart Poettering <lennart@poettering.net>2016-08-22 14:17:23 +0200
commit4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4 (patch)
tree8efe7c12615a3a5ca0952f97ea30bd6b1424b1b6 /src/shared/seccomp-util.c
parentmount-tool: return 0 instead of NULL in the acquire_description() (#4009) (diff)
downloadsystemd-4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4.tar.xz
systemd-4a4485ae69bddf6cc01d4c50f3f53535c2d8fea4.zip
seccomp: make sure getrlimit() is among the default permitted syscalls
A lot of basic code wants to know the stack size, and it is safe if they do, hence let's permit getrlimit() (but not setrlimit()) by default. See: #3970
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r--src/shared/seccomp-util.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d112b8..b549426e2b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
"execve\0"
"exit\0"
"exit_group\0"
+ "getrlimit\0" /* make sure processes can query stack size and such */
"rt_sigreturn\0"
"sigreturn\0"
}, {