[systemd-devel] Easier alternative to SystemCallFilter
Lennart Poettering
lennart at poettering.net
Sun Apr 17 12:01:03 UTC 2016
On Sat, 16.04.16 11:48, Topi Miettinen (toiwoton at gmail.com) wrote:
> Hello,
>
> SystemCallFilter, while a nice feature, is not easy to use because there
> are hundreds of system calls to be managed.
>
> I'm proposing to add a simpler way to prepare seccomp filters (to
> complement SystemCallFilter), where the user can construct the filter by
> using predefined system call groups or sets.
Yeah, sounds like a useful addition. But could you please post this as
issue on github? We tend to track RFEs that way.
> The same as whitelist:
> SystemCallFilterSet=FileIO IPC Exec NetworkGeneral NetworkIOReceve
>
> SystemCallFilter lines would then modify the filters created by the
> SystemCallFilterSet instead of starting from scratch.
>
> Alternatively SystemCallFilter syntax could be enhanced with the sets.
> But then an old (downgraded) systemd would not understand the new syntax
> and it would reject the entire line, which would remove all
> filtering.
Well, that's not unlike when new syscalls are added, so this issue
sounds Ok to me. IIRC we simply warn and proceed if we find a
token in the SystemCallFilter= line that we don't know. Hence, I think
it would be nice to say that maybe all tokens in that line that start
with an "@" or so, refer to such named, high-level lists.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list