[systemd-devel] Seccomp allow/log action
Chris PeBenito
chpebeni at linux.microsoft.com
Wed Jul 8 14:47:32 UTC 2020
I would like to implement a unit option that would make the seccomp action
SCMP_ACT_LOG so that I can test SystemCallFilter settings without killing the
services, like SELinux permissive mode.
I was reading this github issue about seccomp actions from last year:
https://github.com/systemd/systemd/issues/11967
While it mentioned other actions, it was mainly about changing the kill action
to kill the process rather than just the offending thread. There wasn't a solid
conclusion about how allow/log actions would work in terms of unit options. I
figure one option is adding a new option like SystemCallFillterAllow=bool that
would conflict with SystemCallFilterErrno. If true it would set SCMP_ACT_LOG for
the action. Having a setting for SCMP_ACT_ALLOW seems redundant since it's
equivalent to commenting out the SystemCallFilter option since there's no logging.
Is there a preference to how the config options would work?
--
Chris PeBenito
More information about the systemd-devel
mailing list