[systemd-devel] SystemCallFilter

Josef Moellers jmoellers at suse.de
Tue May 28 15:16:23 UTC 2019

On 28.05.19 16:59, Lennart Poettering wrote:
> On Di, 28.05.19 14:04, Josef Moellers (jmoellers at suse.de) wrote:
>>> Regarding the syscall groupings: yes, the groups exist precisely to
>>> improve cases like this. That said, I think we should be careful not
>>> have an inflation of groups, and we should ask twice whether a group
>>> is really desirable before adding it. I'd argue in the open/openat
>>> case the case is not strong enough though: writing a filter
>>> blacklisting those is very difficult, as it means you cannot run
>>> programs with dynamic libraries (as loading those requires
>>> open/openat), which hence limits the applications very much and
>>> restricts its use to very few, very technical cases. In those case I
>>> have the suspicion the writer of the filters needs to know in very
>>> much detail what the semantics are anyway, and he hence isn't helped
>>> too much by this group.
>>> Note that the @file-system group already includes both, so maybe
>>> that's a more adequate solution? (not usable for blacklisting though,
>>> only for whirelisting, realistically).
>>> Hence, I would argue this is a documentation issue, not a bug
>>> really... Does that make sense?
>> Yes.
>> Linux has always been a moving target and in very many circumstances
>> this has been A Good Idea!
>> I guess I'm too much old school and try to keep to the principle of
>> least surprise.
> I added some docs about this to this PR:
> https://github.com/systemd/systemd/pull/12686
> ptal!

... and in the section about SyscallErrorNumber, there is a duplicate

See (see <citerefentry
for a full list) for a full list of error codes.

... unless this is somehow mangled by the documetation builder.

SUSE Linux GmbH
Maxfeldstrasse 5
90409 Nuernberg
GF: Felix Imend├Ârffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG N├╝rnberg)

More information about the systemd-devel mailing list