[systemd-devel] SystemCallFilter

Josef Moellers jmoellers at suse.de
Tue May 28 09:43:11 UTC 2019


We just had an issue with a partner who tried to filter out the "open"
system call:

. This may, in general, not be a very clever idea because how is one to
load a shared library to start with, but this example has revealed
something problematic ...
The problem the partner had was that the filter just didn't work. No
matter what he tried, the test program ran to completion.

It took us some time to figure out what caused this:
The test program relied on the fact that when it called open(), that the
"open" system call would be used, which it doesn't any more. It uses the
"openat" system call instead (*).
Now it appears that this change is deliberate and so my question is what
to do about these cases.
Should one
* also filter out "openat" if only "open" is required?
* introduce a new group "@open" which filters both?

I regard "SystemCallFilter" as a security measure and if one cannot rely
on mechanisms any more, what good is such a feature?


(*) IMHO thereby breaking The Principle Of Least Surprise.
SUSE Linux GmbH
Maxfeldstrasse 5
90409 Nuernberg
GF: Felix Imend├Ârffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG N├╝rnberg)

More information about the systemd-devel mailing list