From b887d2ebfe19b09d498f71589d245ad2060f1afd Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 13 Sep 2017 19:40:23 +0200
Subject: [PATCH] seccomp: beef up @process group a bit

Include the waid syscalls. If we permit forking then we should also
permit waiting for a process.

Similar to that: also permit determining the usage counters for
processes.

Include calls to determine process/thread identity. They have little
impact security-wise, but are very likely used when process management
of any form is done.

Also, add rt_sigqueueinfo + rt_tgsigqueueinfo as they are similar to
kill() and friends, but permit passing along a userdata ptr.
---
 src/shared/seccomp-util.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index eee7f04..d96b449 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -612,13 +612,23 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "clone\0"
                 "execveat\0"
                 "fork\0"
+                "getpid\0"
+                "getppid\0"
+                "getrusage\0"
+                "gettid\0"
                 "kill\0"
                 "prctl\0"
+                "rt_sigqueueinfo\0"
+                "rt_tgsigqueueinfo\0"
                 "setns\0"
                 "tgkill\0"
+                "times\0"
                 "tkill\0"
                 "unshare\0"
                 "vfork\0"
+                "wait4\0"
+                "waitid\0"
+                "waitpid\0"
         },
         [SYSCALL_FILTER_SET_RAW_IO] = {
                 .name = "@raw-io",
-- 
2.7.4