[systemd-devel] Is SystemCallFilter working for you?
Lennart Poettering
lennart at poettering.net
Tue Jun 9 15:31:59 PDT 2015
On Tue, 09.06.15 13:00, Martin Pitt (martin.pitt at ubuntu.com) wrote:
> Hello all,
>
> I was about to (re-)enable seccomp support in our systemd packages,
> and to write an integration test for it. However, it seems that this
> currently does not seem to work at all.
Works fine here.
> config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP,
> kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and
> CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems
> fine.
Same settings here, on Fedora. All works fine.
> But if I have a unit like
>
> | [Unit]
> | Description=seccomp test
> |
> | [Service]
> | ExecStart=/bin/cat /etc/machine-id
> | SystemCallFilter=access
>
> (which really ought to fail) it just succeeds. Also, running
This fails here, as it should.
> ./test-execute as root fails in test_exec_systemcallfilter():
>
> | exec-systemcallfilter-failing.service
> | UMask: 0022
> | WorkingDirectory: /home/martin
> | RootDirectory: /
> | NonBlocking: no
> | PrivateTmp: no
> | PrivateNetwork: no
> | PrivateDevices: no
> | ProtectHome: no
> | ProtectSystem: no
> | IgnoreSIGPIPE: yes
> | StandardInput: null
> | StandardOutput: inherit
> | StandardError: inherit
> | This should not be seen
> | PID: 16439
> | Start Timestamp: Tue 2015-06-09 12:56:51 CEST
> | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST
> | Exit Code: exited
> | Exit Status: 0
> | Assertion 'service->main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting.
>
> This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that
> working for anyone else? In particular, could you check if you have
> HAVE_SECCOMP and test-execute succeeds (as root) for you?
The test works fine here too.
Seems to be specific to your distro/setup?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list