[systemd-devel] Udev hardening

Lennart Poettering lennart at poettering.net
Wed Dec 16 21:13:12 UTC 2020


On Mo, 14.12.20 14:54, Adi Ml (maladi1747 at gmail.com) wrote:

> Hi,
>
> I would like to harden my udev service with the
> SystemCallFilter option. What systemcalls should be permitted/allowed in
> order to secure it and avoid irrelevant system calls?

We apply system call filters to all long running services included in
systemd by default — but we don't for udev because we cannot. It's
more of an "application server" if you so will, that can run other
code, as people can drop in rules of any kind if they wish. And we
don't know what that'll be and what it wants to use. Hence we don't.

In specific setups that only supports very specific software you can
of course put together your own rules, but that's only something you
can do, if you know the stuff you run.

You may use "SystemCallLog=" (added in v247) in the udev unit file to
make the kernel log all system calls that are done by a service.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list