lib: allow syscall get_mempolicy
in default seccomp filter
This syscall is required by an upcoming version of btcpayserver. Because it is generally safe, we can allow it for all services.
This commit is contained in:
parent
a2c01e5a56
commit
53a9f136b9
@ -33,7 +33,7 @@ let self = {
|
|||||||
# @system-service whitelist and docker seccomp blacklist (except for "clone"
|
# @system-service whitelist and docker seccomp blacklist (except for "clone"
|
||||||
# which is a core requirement for systemd services)
|
# which is a core requirement for systemd services)
|
||||||
# @system-service is defined in src/shared/seccomp-util.c (systemd source)
|
# @system-service is defined in src/shared/seccomp-util.c (systemd source)
|
||||||
SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
|
SystemCallFilter = [ "@system-service" "~add_key clone3 kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user