[systemd-devel] Seeking advice for configuring SystemCallFilter=

Lennart Poettering lennart at poettering.net
Thu Aug 14 17:49:07 PDT 2014


On Tue, 08.07.14 17:33, David Timothy Strauss (david at davidstrauss.net) wrote:

> Is there a good way to empirically determine the additional calls
> required for an application, sort of like selinux permissive mode?
> We're often running user code on our servers, and we'd like to perform
> analysis and gradually roll out filtering. We'd like to be as
> non-disruptive as possible.

"strace" should do the job. It should give you a pretty good idea of all
syscalls a process uses. That's what I used when testing SyscallFilters=.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list