[systemd-devel] SystemCallFilter
Lennart Poettering
lennart at poettering.net
Tue May 28 14:59:51 UTC 2019
On Di, 28.05.19 14:04, Josef Moellers (jmoellers at suse.de) wrote:
> > Regarding the syscall groupings: yes, the groups exist precisely to
> > improve cases like this. That said, I think we should be careful not
> > have an inflation of groups, and we should ask twice whether a group
> > is really desirable before adding it. I'd argue in the open/openat
> > case the case is not strong enough though: writing a filter
> > blacklisting those is very difficult, as it means you cannot run
> > programs with dynamic libraries (as loading those requires
> > open/openat), which hence limits the applications very much and
> > restricts its use to very few, very technical cases. In those case I
> > have the suspicion the writer of the filters needs to know in very
> > much detail what the semantics are anyway, and he hence isn't helped
> > too much by this group.
> >
> > Note that the @file-system group already includes both, so maybe
> > that's a more adequate solution? (not usable for blacklisting though,
> > only for whirelisting, realistically).
> >
> > Hence, I would argue this is a documentation issue, not a bug
> > really... Does that make sense?
> Yes.
>
> Linux has always been a moving target and in very many circumstances
> this has been A Good Idea!
> I guess I'm too much old school and try to keep to the principle of
> least surprise.
I added some docs about this to this PR:
https://github.com/systemd/systemd/pull/12686
ptal!
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list