defaultHardening: allow clone3 system call

clone3 is the latest version of the clone system call, which is already
allowed.
clone3 is required by nbxplorer 2.3.20.
This commit is contained in:
Erik Arvstedt 2022-04-30 15:35:45 +02:00 committed by Jonas Nick
parent 11116243ec
commit 29d2ffc111
No known key found for this signature in database
GPG Key ID: 4861DBF262123605

View File

@ -33,7 +33,7 @@ let self = {
# @system-service whitelist and docker seccomp blacklist (except for "clone" # @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services) # which is a core requirement for systemd services)
# @system-service is defined in src/shared/seccomp-util.c (systemd source) # @system-service is defined in src/shared/seccomp-util.c (systemd source)
SystemCallFilter = [ "@system-service" "~add_key clone3 kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ]; SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
}; };