diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-07-27 17:11:09 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-08-06 16:40:58 +0200 |
commit | 77681242c8c6d7693814b8245e9096e43faa21be (patch) | |
tree | a4405f67a950c5d747d58b7c189ecef17380c8a7 | |
parent | 9eb9b07c404be8d59a800c70593809a69f0d0e55 (diff) | |
download | systemd-77681242c8c6d7693814b8245e9096e43faa21be.tar.gz |
seccomp: move sched_getaffinity() from @system-service to @default
See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739
In general, we shouldn't blanket move syscalls like this into @default,
given that glibc actually does have fallbacks, afaics. However, as
long as the syscalls are "read-only" and thus benign, I figure it's a
safe thing to do. But we should probably stick to a "if in doubt, don't"
rule, and put these syscalls in @system-service as default, but not into
@default.
I think in the real world @system-service is the sensible group people
should use, and not @default actually.
(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533)
-rw-r--r-- | src/shared/seccomp-util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 703d5a939c..631ca5dd34 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -331,6 +331,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "restart_syscall\0" "rseq\0" "rt_sigreturn\0" + "sched_getaffinity\0" "sched_yield\0" "set_robust_list\0" "set_thread_area\0" @@ -874,7 +875,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "remap_file_pages\0" "sched_get_priority_max\0" "sched_get_priority_min\0" - "sched_getaffinity\0" "sched_getattr\0" "sched_getparam\0" "sched_getscheduler\0" |