diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-11-02 15:46:18 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-11-02 15:50:00 +0100 |
| commit | 133ddbbeae74fc06173633605b3e612e934bc2dd (patch) | |
| tree | e642c6e827ecbd0ee47be2628e05c22aa389055c /src/shared/seccomp-util.h | |
| parent | man: two minor fixes (diff) | |
| download | systemd-133ddbbeae74fc06173633605b3e612e934bc2dd.tar.xz systemd-133ddbbeae74fc06173633605b3e612e934bc2dd.zip | |
seccomp: add two new syscall groups
@resources contains various syscalls that alter resource limits and memory and
scheduling parameters of processes. As such they are good candidates to block
for most services.
@basic-io contains a number of basic syscalls for I/O, similar to the list
seccomp v1 permitted but slightly more complete. It should be useful for
building basic whitelisting for minimal sandboxes
Diffstat (limited to '')
| -rw-r--r-- | src/shared/seccomp-util.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 8050fc6fbf..8e209efef2 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,6 +38,7 @@ typedef struct SyscallFilterSet { } SyscallFilterSet; enum { + SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, @@ -52,6 +53,7 @@ enum { SYSCALL_FILTER_SET_PRIVILEGED, SYSCALL_FILTER_SET_PROCESS, SYSCALL_FILTER_SET_RAW_IO, + SYSCALL_FILTER_SET_RESOURCES, _SYSCALL_FILTER_SET_MAX }; |