[systemd-devel] Is SystemCallFilter working for you?

Martin Pitt martin.pitt at ubuntu.com
Tue Jun 9 04:00:07 PDT 2015


Hello all,

I was about to (re-)enable seccomp support in our systemd packages,
and to write an integration test for it. However, it seems that this
currently does not seem to work at all.

config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP,
kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and
CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems
fine.

But if I have a unit like

| [Unit]
| Description=seccomp test
| 
| [Service]
| ExecStart=/bin/cat /etc/machine-id
| SystemCallFilter=access

(which really ought to fail) it just succeeds. Also, running
./test-execute as root fails in test_exec_systemcallfilter():

| exec-systemcallfilter-failing.service
| 	UMask: 0022
| 	WorkingDirectory: /home/martin
| 	RootDirectory: /
| 	NonBlocking: no
| 	PrivateTmp: no
| 	PrivateNetwork: no
| 	PrivateDevices: no
| 	ProtectHome: no
| 	ProtectSystem: no
| 	IgnoreSIGPIPE: yes
| 	StandardInput: null
| 	StandardOutput: inherit
| 	StandardError: inherit
| This should not be seen
| 	PID: 16439
| 	Start Timestamp: Tue 2015-06-09 12:56:51 CEST
| 	Exit Timestamp: Tue 2015-06-09 12:56:51 CEST
| 	Exit Code: exited
| 	Exit Status: 0
| Assertion 'service->main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting.

This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that
working for anyone else? In particular, could you check if you have
HAVE_SECCOMP and test-execute succeeds (as root) for you?

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)


More information about the systemd-devel mailing list