[systemd-devel] [RFC] Seccomp filters from file

[Lennart Poettering]

On Di, 23.06.20 09:41, Chris PeBenito (chpebeni at linux.microsoft.com) wrote:

> I've got some challenges using systemd's seccomp support because it
> conflicts with the way my system is managed.  I need to manage the seccomp
> SystemCallFilter lists in a central location (single directory) so that they
> can be updated independently of the packages and portable services on my
> systems. Would there be any objections to a patch that would add a new unit
> option for loading the system call filter list out of a specified file?

seccomp is still only supports plain bpf, not ebpf iirc. For some of
the ebpf uses we noawadays support that you can upload your filter
yourself and then make systemd use it:
IPIngressFilterPath=/IPEgressFilterPath=.

As soon as seccomp supports ebpf natively we could expose the same
mechanism also for system call filtering, but until that happens I
don't see any smart future-proof way to provide an interface for
integrating your own filters with systemd.

That said: you could also just use unit drop-ins, i.e. write a common
drop-in file that contains the filter you want to define and then
symlink it in to the relevant unit .d/ subdirs. That way you can have
a common definition that is used by a variety of services. This is in
fact what portablectl's --profile= logic internally does: it just
symlinks a common .d/ drop-in into all service files it attaches. The
common profiles are shipped in /usr/lib/systemd/portable/profile/.

Lennart

--
Lennart Poettering, Berlin