From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 27 Jul 2021 15:11:09 +0000 (+0200)
Subject: seccomp: move sched_getaffinity() from @system-service to @default
X-Git-Tag: v247.9~8
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=8f5ec0ce9383801ceadebec33577f25ec5786195;p=systemd%2F.git

seccomp: move sched_getaffinity() from @system-service to @default

See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739

In general, we shouldn't blanket move syscalls like this into @default,
given that glibc actually does have fallbacks, afaics. However, as
long as the syscalls are "read-only" and thus benign, I figure it's a
safe thing to do. But we should probably stick to a "if in doubt, don't"
rule, and put these syscalls in @system-service as default, but not into
@default.

I think in the real world @system-service is the sensible group people
should use, and not @default actually.

(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533)
(cherry picked from commit ee8564940b527cef6e643e6e41b6f0b5df375a37)
(cherry picked from commit bcdec4e0fc1744461d535091298d5da5b369ace0c)
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 9c540d15e9..7b3e737aaa 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -330,6 +330,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "restart_syscall\0"
                 "rseq\0"
                 "rt_sigreturn\0"
+                "sched_getaffinity\0"
                 "sched_yield\0"
                 "set_robust_list\0"
                 "set_thread_area\0"
@@ -874,7 +875,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "remap_file_pages\0"
                 "sched_get_priority_max\0"
                 "sched_get_priority_min\0"
-                "sched_getaffinity\0"
                 "sched_getattr\0"
                 "sched_getparam\0"
                 "sched_getscheduler\0"