seccompfilter_rules.h

/* SPDX-License-Identifier: GPL-2.0-or-later */

/* We do not need ifndef _XXX_H guard: https://github.com/rootless-containers/slirp4netns/pull/238#discussion_r530214521 */

#ifndef BLOCK
#error "Included in an unexpected way?"
#endif

/*
  NOTE:
  - Run `sudo systemd-analyze syscall-filter` to show list of syscall groups.
  - Ideally we should also block open() and openat(), but these calls are required for opening resolv.conf
 */

/* group: @default */
BLOCK(execve);

/* group: @debug */
BLOCK(lookup_dcookie);
BLOCK(pidfd_getfd);
BLOCK(ptrace);

/* group: @ipc */
BLOCK(process_vm_readv);
BLOCK(process_vm_writev);

/* group: @module*/
BLOCK(delete_module);
BLOCK(finit_module);
BLOCK(init_module);

/* group: @mount */
BLOCK(chroot);
BLOCK(fsconfig);
BLOCK(fsmount);
BLOCK(fsopen);
BLOCK(fspick);
BLOCK(mount);
BLOCK(move_mount);
BLOCK(open_tree);
BLOCK(pivot_root);
BLOCK(umount);
BLOCK(umount2);

/* group: @privileged */
BLOCK(open_by_handle_at);

/* group: @process */
BLOCK(execveat);
BLOCK(pidfd_open);
BLOCK(pidfd_send_signal);
BLOCK(prctl);
BLOCK(setns);
BLOCK(unshare);

/* group: @reboot */
BLOCK(kexec_file_load);
BLOCK(kexec_load);
BLOCK(reboot);

/* group: @system-service */
BLOCK(name_to_handle_at);