[systemd-devel] Is SystemCallFilter working for you?

Ronny Chevalier chevalier.ronny at gmail.com
Tue Jun 9 06:54:08 PDT 2015


On Tue, Jun 9, 2015 at 1:00 PM, Martin Pitt <martin.pitt at ubuntu.com> wrote:
> Hello all,
>
> I was about to (re-)enable seccomp support in our systemd packages,
> and to write an integration test for it. However, it seems that this
> currently does not seem to work at all.
>
> config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP,
> kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and
> CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems
> fine.
>
> But if I have a unit like
>
> | [Unit]
> | Description=seccomp test
> |
> | [Service]
> | ExecStart=/bin/cat /etc/machine-id
> | SystemCallFilter=access
>
> (which really ought to fail) it just succeeds. Also, running
> ./test-execute as root fails in test_exec_systemcallfilter():
>
> | exec-systemcallfilter-failing.service
> |       UMask: 0022
> |       WorkingDirectory: /home/martin
> |       RootDirectory: /
> |       NonBlocking: no
> |       PrivateTmp: no
> |       PrivateNetwork: no
> |       PrivateDevices: no
> |       ProtectHome: no
> |       ProtectSystem: no
> |       IgnoreSIGPIPE: yes
> |       StandardInput: null
> |       StandardOutput: inherit
> |       StandardError: inherit
> | This should not be seen
> |       PID: 16439
> |       Start Timestamp: Tue 2015-06-09 12:56:51 CEST
> |       Exit Timestamp: Tue 2015-06-09 12:56:51 CEST
> |       Exit Code: exited
> |       Exit Status: 0
> | Assertion 'service->main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting.
>
> This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that
> working for anyone else? In particular, could you check if you have
> HAVE_SECCOMP and test-execute succeeds (as root) for you?
>

Hi,

It works for me. I tested on my machine with Linux 4.0.5 (archlinux)
and libseccomp 2.2.0 and test-execute passed.

But by looking at your output, there is something weird, you should
have a line like this for this test:
SystemCallFilter: exit exit_group rt_sigreturn ioperm execve

Just after StandardError: inherit and just before PID: 16439.

Because in exec_context_dump() it prints the SystemCallFilter line if
it isn't empty. Since test-execute launched the seccomp tests,
HAVE_SECCOMP is set, but it seems that syscall_filter == NULL in your
case?

> Thanks,
>
> Martin
> --
> Martin Pitt                        | http://www.piware.de
> Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel


More information about the systemd-devel mailing list