[systemd-devel] systemd-analyze security and SystemCallFilter
Lennart Poettering
mzerqung at 0pointer.de
Tue Jul 14 08:15:35 UTC 2020
On So, 12.07.20 18:35, Reindl Harald (h.reindl at thelounge.net) wrote:
> why are these bad and scored?
> including syscalls to the blacklist is hardly wrong
Sounds like a bug. Can you file it on github please?
I figure the tool becomes confused by the blacklist logic. Doing a
whitelist is the preferred way and it handles that much better.
Please provide the unit file in question in the github issue.
> systemd-243.8-1.fc31.x86_64
>
> ✗ SystemCallFilter=~@clock System
> call blacklist defined for service, and @clock is included 0.1
> ✗ SystemCallFilter=~@debug System
> call blacklist defined for service, and @debug is included 0.1
> ✗ SystemCallFilter=~@module System
> call blacklist defined for service, and @module is included 0.1
> ✗ SystemCallFilter=~@mount System
> call blacklist defined for service, and @mount is included 0.1
> ✗ SystemCallFilter=~@raw-io System
> call blacklist defined for service, and @raw-io is included 0.1
> ✗ SystemCallFilter=~@reboot System
> call blacklist defined for service, and @reboot is included 0.1
> ✗ SystemCallFilter=~@swap System
> call blacklist defined for service, and @swap is included 0.1
> ✗ SystemCallFilter=~@privileged System
> call blacklist defined for service, and @privileged is not included 0.2
> ✗ SystemCallFilter=~@resources System
> call blacklist defined for service, and @resources is not included 0.2
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list