[systemd-devel] How to disable seccomp in systemd-nspawn?
Steve Dodd
steved424 at gmail.com
Sun Aug 16 15:32:43 UTC 2020
On Sun, 16 Aug 2020 at 16:05, Steve Dodd <steved424 at gmail.com> wrote:
That's interesting .. it's possible things don't work quite the way I think
> they do, but I will try to find previous examples - I remember borgbackup
> was affected on armhf fairly recently, for example.
>
Ah, the borgbackup thing was different - sync_file_range2 was missing from
systemd's filter set. Here's the last "new syscall" issue though:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1883447
Hmm, this would make a ton of sense. We currently have a "log" seccomp
>> action, but it will just log and allow anyway. we'd need another
>> action that would log and refuse. Please file an RFE, or even better
>> prep a PR for this!
>>
>
> Looking at the kernel seccomp doc, I'm not actually sure it's possible,
> from code at least:
>
> https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html
>
> But there is /proc/sys/kernel/seccomp/actions_logged which might do the
> trick!
>
Ah, looks like we need to seccomp_attr_get(&ctx, SCMP_FLTATR_CTL_LOG, ..)
somewhere for this to work. Not sure if that should be done
unconditionally...
S.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20200816/f874a218/attachment.htm>
More information about the systemd-devel
mailing list