[systemd-devel] [PATCH 2/2] syscallfilter: port to libseccomp

[Shawn Landden]

both libseccomp and systemd's use of it needs to be ported to arm,
which supports seccomp filter mode.

On Tue, Feb 4, 2014 at 2:40 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Tue, 04.02.14 20:59, Ronny Chevalier (chevalier.ronny at gmail.com) wrote:
>
>> There is no problem if someone do something like:
>> SystemCallFilter=write read execve
>> SystemCallFilter=ioperm
>> -- or --
>> SystemCallFilter=~write read execve
>> SystemCallFilter=~ioperm
>>
>> But in a case like:
>> SystemCallFilter=~write read execve
>> SystemCallFilter=ioperm
>>
>> What about ioperm ? Should it be considered like ~ioperm ? If yes what
>> happen if someone do something like this:
>> SystemCallFilter=write read execve
>> SystemCallFilter=~ioperm
>>
>> Should we ignore the ~ioperm and generate an error ? or something else
>> ? Since it doesn't mean anything.
>
> Hmm, so currently when the first line is with "~" we start from a full
> syscall set, and when it isn't with an empty set, and then we add/remove
> bits from it. And all subsequent lines will just continue
> adding/removing bits from this set. I'd claim this is a reasonably
> simple and obvious thing to do, as well as something that might even be
> useful to people -- think about people dropping in ".d/" snippets that
> want to readd a certain syscall that the .service file itself had
> dropped...
>
>> I mention this because I was about to send the new patch but I noticed
>> that in the previous patch and the new one I forgot about this part in
>> the documentation.
>
> So yeah, I figure we should continue with this logic, and of course
> probably document it...
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
Shawn Landden
+1 360 389 3001 (SMS preferred)