[systemd-devel] Seccomp allow/log action
Topi Miettinen
toiwoton at gmail.com
Wed Jul 8 18:31:08 UTC 2020
On 8.7.2020 17.47, Chris PeBenito wrote:
> I would like to implement a unit option that would make the seccomp
> action SCMP_ACT_LOG so that I can test SystemCallFilter settings without
> killing the services, like SELinux permissive mode.
>
> I was reading this github issue about seccomp actions from last year:
>
> https://github.com/systemd/systemd/issues/11967
>
> While it mentioned other actions, it was mainly about changing the kill
> action to kill the process rather than just the offending thread. There
> wasn't a solid conclusion about how allow/log actions would work in
> terms of unit options. I figure one option is adding a new option like
> SystemCallFillterAllow=bool that would conflict with
> SystemCallFilterErrno. If true it would set SCMP_ACT_LOG for the
> action. Having a setting for SCMP_ACT_ALLOW seems redundant since it's
> equivalent to commenting out the SystemCallFilter option since there's
> no logging.
I think it would be more flexible to extend the error code return per
system call, like
SystemCallFilter=gettimeofday:LOG
For global error action, I'd propose SystemCallErrorNumber= to be
superseded by more generic
SystemCallErrorAction= KILL | LOG | errno code
-Topi
More information about the systemd-devel
mailing list