[systemd-devel] [PATCH] nspawn: Map all seccomp filters to matching capabilities
Jay Faulkner
jay at jvf.cc
Fri Feb 20 14:24:37 PST 2015
Hi all,
Two weeks ago[1] I patched systemd-nspawn to respect CAP_SYS_MODULE with regards to setting seccomp filters. As I needed access to some of the other blocked syscalls as well, I have a patch to map all seccomp filters to various capabilities, and to only set those filters if the matching capability is dropped. The matching capabilities were taken from the man pages of the syscalls involved.
I’d also suggest that in the future, additional filters use this same mapping as to avoid breaking use cases like mine in the future. :)
The patch is attached, but in case it gets mangled in transport as the last one did, feel free to get it directly from github here: https://github.com/jayofdoom/systemd/pull/3.patch.
Thanks,
Jay Faulkner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150220/a7390e20/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nspawn-map-seccomp-to-capabilities.patch
Type: application/octet-stream
Size: 4004 bytes
Desc: nspawn-map-seccomp-to-capabilities.patch
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150220/a7390e20/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150220/a7390e20/attachment-0001.htm>
More information about the systemd-devel
mailing list