[systemd-devel] [PATCH] Make seccomp protections in systemd-nspawn optional

[Lennart Poettering]

On Wed, 04.02.15 02:21, Jay Faulkner (jay at jvf.cc) wrote:

> > I am not particularly fond of the idea of adding a completely new
> > command line option for this though. Maybe we can find another way for
> > this.
> > 
> > For example, one option could be to split the seccomp syscall
> > blacklist in two: split out the kernel kmod related syscalls, and
> > only add them to the seccomp filter if arg_retain does not include
> > CAP_SYS_MODULE. This would then leave the module seccomp filters in
> > place by default, however, if you add the CAP_SYS_MODULE cap to the
> > container with --capability= then the seccomp filter is changed to
> > also allow the module loading sys calls.
> 
> I implemented this; the patch can be pulled directly from
> https://github.com/jayofdoom/systemd/pull/2.patch to prevent me from
> corrupting this along the way.

Applied, thanks!

> As a note; unlike what we discussed in IRC, someone passing capability=all
> will be covered for module loading in this situation, because all sets the
> bitmask to -1, effectively enabling all capabilities.

Yupp, I thought that was pretty much what I was saying on IRC.

Lennart

-- 
Lennart Poettering, Red Hat