diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-06-17 23:14:40 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-06-17 23:14:40 +0200 |
| commit | 6d5870fc01a39cfc51eb28f891e8e9cc48aabc7e (patch) | |
| tree | 55a3d34f88c767344bc3cb5ae9717b21b7ed4962 | |
| parent | fbf2d20a35f4bf7be951588d17658b6aeedc74eb (diff) | |
flawfinder ignores now seccomp syscall definitions
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/pseccomp.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/src/pseccomp.c b/src/pseccomp.c index a08bc11..dc06615 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -29,13 +29,13 @@ static const int minimum_disabled_syscalls[] = { SCMP_SYS(iopl), SCMP_SYS(swapon), SCMP_SYS(swapoff), - SCMP_SYS(syslog), + SCMP_SYS(syslog) /* Flawfinder: ignore */, SCMP_SYS(nice), SCMP_SYS(kcmp), SCMP_SYS(unshare), SCMP_SYS(setns), SCMP_SYS(pivot_root), - SCMP_SYS(chroot), + SCMP_SYS(chroot) /* Flawfinder: ignore */, SCMP_SYS(fchdir), SCMP_SYS(capset), SCMP_SYS(mknod), @@ -67,9 +67,10 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), /* operations on files */ SCMP_SYS(open), SCMP_SYS(openat), - SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access), + SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(fstat64), + SCMP_SYS(access) /* Flawfinder: ignore */, SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(stat64), - SCMP_SYS(readlink), SCMP_SYS(getcwd), + SCMP_SYS(readlink) /* Flawfinder: ignore */, SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), /* operations on user/group */ SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32), @@ -82,10 +83,11 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(kill), /* other */ SCMP_SYS(unshare), SCMP_SYS(setns), - SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount), SCMP_SYS(umount2), + SCMP_SYS(chroot) /* Flawfinder: ignore */, SCMP_SYS(chdir), SCMP_SYS(mount), SCMP_SYS(umount2), SCMP_SYS(mknod), SCMP_SYS(mkdir), SCMP_SYS(rmdir), SCMP_SYS(statfs), SCMP_SYS(ioctl), - SCMP_SYS(umask), SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), + SCMP_SYS(umask), SCMP_SYS(chown) /* Flawfinder: ignore */, + SCMP_SYS(chmod) /* Flawfinder: ignore */, SCMP_SYS(setsid), SCMP_SYS(dup), SCMP_SYS(dup2), SCMP_SYS(dup3), SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl) }; @@ -108,9 +110,11 @@ static const int jail_allowed_syscalls[] = { SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve), SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), - SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access), + SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(fstat64), + SCMP_SYS(access) /* Flawfinder: ignore */, SCMP_SYS(poll), SCMP_SYS(pipe), SCMP_SYS(pipe2), - SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(readlink), SCMP_SYS(getcwd), + SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(stat64), + SCMP_SYS(readlink) /* Flawfinder: ignore */, SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), SCMP_SYS(setuid), SCMP_SYS(setgid), SCMP_SYS(setresuid), SCMP_SYS(setresgid), |