Jan Alexander Steffens (heftig) pushed to branch main at Arch Linux / Packaging / Packages / fwupd
Commits: c0c4a9c1 by Jan Alexander Steffens (heftig) at 2024-04-24T20:54:46+02:00 Drop patch - - - - - 1 changed file: - − 0001-Use-simple-allow-listing-for-the-syscall-filter.patch Changes: ===================================== 0001-Use-simple-allow-listing-for-the-syscall-filter.patch deleted ===================================== @@ -1,44 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Richard Hughes <[email protected]> -Date: Fri, 19 Apr 2024 17:43:51 +0100 -Subject: [PATCH] Use simple allow-listing for the syscall filter - -Sometimes KISS is a good idea, especially for security. ---- - data/meson.build | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/data/meson.build b/data/meson.build -index 712fc7fd22d2..3ca9afa5a1bf 100644 ---- a/data/meson.build -+++ b/data/meson.build -@@ -104,15 +104,22 @@ if build_daemon - dynamic_options += 'RestrictAddressFamilies=AF_NETLINK AF_UNIX' - endif - -- # the order of SystemCallFilter is important as the first encountered will take precedence and -- # will dictate the default action -- syscall_allow = ['@system-service'] -- syscall_deny = ['@resources'] -+ # allow-list, see `systemd-analyze syscall-filter` for what each group adds -+ syscall_filter = [ -+ '@basic-io', -+ '@file-system', -+ '@io-event', -+ '@ipc', -+ '@network-io', -+ '@process', -+ '@sync', -+ 'ioctl', -+ 'uname', -+ ] - if allow_flashrom -- syscall_allow += ['@raw-io'] -+ syscall_filter += ['@raw-io'] - endif -- dynamic_options += ['SystemCallFilter=' + ' '.join(syscall_allow)] -- dynamic_options += ['SystemCallFilter=~' + ' '.join(syscall_deny)] # tilde is not a typo -+ dynamic_options += ['SystemCallFilter=' + ' '.join(syscall_filter)] - - con2.set('dynamic_options', '\n'.join(dynamic_options)) - con2.set('motd_dir', motd_dir) View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/fwupd/-/commit/c0c4a9c1cca4b92f003da33ad02581d64223ee46 -- This project does not include diff previews in email notifications. View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/fwupd/-/commit/c0c4a9c1cca4b92f003da33ad02581d64223ee46 You're receiving this email because of your account on gitlab.archlinux.org.
