[systemd-devel] SystemCallFilter
Lennart Poettering
lennart at poettering.net
Thu Jun 20 13:13:23 UTC 2019
On Di, 28.05.19 17:16, Josef Moellers (jmoellers at suse.de) wrote:
> On 28.05.19 16:59, Lennart Poettering wrote:
> > On Di, 28.05.19 14:04, Josef Moellers (jmoellers at suse.de) wrote:
> >
> >>> Regarding the syscall groupings: yes, the groups exist precisely to
> >>> improve cases like this. That said, I think we should be careful not
> >>> have an inflation of groups, and we should ask twice whether a group
> >>> is really desirable before adding it. I'd argue in the open/openat
> >>> case the case is not strong enough though: writing a filter
> >>> blacklisting those is very difficult, as it means you cannot run
> >>> programs with dynamic libraries (as loading those requires
> >>> open/openat), which hence limits the applications very much and
> >>> restricts its use to very few, very technical cases. In those case I
> >>> have the suspicion the writer of the filters needs to know in very
> >>> much detail what the semantics are anyway, and he hence isn't helped
> >>> too much by this group.
> >>>
> >>> Note that the @file-system group already includes both, so maybe
> >>> that's a more adequate solution? (not usable for blacklisting though,
> >>> only for whirelisting, realistically).
> >>>
> >>> Hence, I would argue this is a documentation issue, not a bug
> >>> really... Does that make sense?
> >> Yes.
> >>
> >> Linux has always been a moving target and in very many circumstances
> >> this has been A Good Idea!
> >> I guess I'm too much old school and try to keep to the principle of
> >> least surprise.
> >
> > I added some docs about this to this PR:
> >
> > https://github.com/systemd/systemd/pull/12686
> >
> > ptal!
>
> ... and in the section about SyscallErrorNumber, there is a duplicate
> remark:
>
> See (see <citerefentry
> project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry>
> for a full list) for a full list of error codes.
>
> ... unless this is somehow mangled by the documetation builder.
I fixed both issues now, and submitted as new PR:
https://github.com/systemd/systemd/pull/12847
(btw, please always add review comments to the github PR rather than
the mailing list, it's a lot easier to keep track of for us, and
remember what is cared for already and what not)
ptal,
thanks,
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list