[systemd-devel] [PATCH 2/2] syscallfilter: port to libseccomp

Lennart Poettering lennart at poettering.net
Tue Feb 4 23:40:32 CET 2014

On Tue, 04.02.14 20:59, Ronny Chevalier (chevalier.ronny at gmail.com) wrote:

> There is no problem if someone do something like:
> SystemCallFilter=write read execve
> SystemCallFilter=ioperm
> -- or --
> SystemCallFilter=~write read execve
> SystemCallFilter=~ioperm
> But in a case like:
> SystemCallFilter=~write read execve
> SystemCallFilter=ioperm
> What about ioperm ? Should it be considered like ~ioperm ? If yes what
> happen if someone do something like this:
> SystemCallFilter=write read execve
> SystemCallFilter=~ioperm
> Should we ignore the ~ioperm and generate an error ? or something else
> ? Since it doesn't mean anything.

Hmm, so currently when the first line is with "~" we start from a full
syscall set, and when it isn't with an empty set, and then we add/remove
bits from it. And all subsequent lines will just continue
adding/removing bits from this set. I'd claim this is a reasonably
simple and obvious thing to do, as well as something that might even be
useful to people -- think about people dropping in ".d/" snippets that
want to readd a certain syscall that the .service file itself had

> I mention this because I was about to send the new patch but I noticed
> that in the previous patch and the new one I forgot about this part in
> the documentation.

So yeah, I figure we should continue with this logic, and of course
probably document it...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list