[systemd-devel] Seccomp allow/log action
Chris PeBenito
chpebeni at linux.microsoft.com
Mon Jul 13 14:02:23 UTC 2020
On 7/8/20 2:31 PM, Topi Miettinen wrote:
> On 8.7.2020 17.47, Chris PeBenito wrote:
>> I would like to implement a unit option that would make the seccomp action
>> SCMP_ACT_LOG so that I can test SystemCallFilter settings without killing the
>> services, like SELinux permissive mode.
>>
>> I was reading this github issue about seccomp actions from last year:
>>
>> https://github.com/systemd/systemd/issues/11967
>>
>> While it mentioned other actions, it was mainly about changing the kill action
>> to kill the process rather than just the offending thread. There wasn't a
>> solid conclusion about how allow/log actions would work in terms of unit
>> options. I figure one option is adding a new option like
>> SystemCallFillterAllow=bool that would conflict with SystemCallFilterErrno. If
>> true it would set SCMP_ACT_LOG for the action. Having a setting for
>> SCMP_ACT_ALLOW seems redundant since it's equivalent to commenting out the
>> SystemCallFilter option since there's no logging.
>
> I think it would be more flexible to extend the error code return per system
> call, like
> SystemCallFilter=gettimeofday:LOG
Yes, that provides much more granularity but is it necessary to support that
level of granularity in systemd? Fine-grained system call logging is available
in the audit subsystem and is much more flexible.
> For global error action, I'd propose SystemCallErrorNumber= to be superseded by
> more generic
>
> SystemCallErrorAction= KILL | LOG | errno code
--
Chris PeBenito
More information about the systemd-devel
mailing list