seccomp: add two new filter sets: @reboot and @swap

These groupe reboot()/kexec() and swapon()/swapoff() respectively

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 812e615..202b912 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1425,9 +1425,17 @@
                 <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry>
               </row>
               <row>
+                <entry>@reboot</entry>
+                <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry>
+              </row>
+              <row>
                 <entry>@resources</entry>
                 <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
               </row>
+              <row>
+                <entry>@swap</entry>
+                <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
+              </row>
             </tbody>
           </tgroup>
         </table>

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 66b72b2..28c2079 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -566,6 +566,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "s390_pci_mmio_write\0"
 #endif
         },
+        [SYSCALL_FILTER_SET_REBOOT] = {
+                .name = "@reboot",
+                .help = "Reboot and reboot preparation/kexec",
+                .value =
+                "kexec\0"
+                "kexec_file_load\0"
+                "reboot\0"
+        },
         [SYSCALL_FILTER_SET_RESOURCES] = {
                 /* Alter resource settings */
                 .name = "@resources",
@@ -582,6 +590,13 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sched_setattr\0"
                 "prlimit64\0"
         },
+        [SYSCALL_FILTER_SET_SWAP] = {
+                .name = "@swap",
+                .help = "Enable/disable swap devices",
+                .value =
+                "swapoff\0"
+                "swapon\0"
+        },
 };
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name) {

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 01cf331..2e9980e 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -56,7 +56,9 @@ enum {
         SYSCALL_FILTER_SET_PRIVILEGED,
         SYSCALL_FILTER_SET_PROCESS,
         SYSCALL_FILTER_SET_RAW_IO,
+        SYSCALL_FILTER_SET_REBOOT,
         SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SWAP,
         _SYSCALL_FILTER_SET_MAX
 };