[systemd-devel] [RFC] Seccomp filters from file

Chris PeBenito chpebeni at linux.microsoft.com
Wed Jun 24 13:02:40 UTC 2020


On 6/23/20 10:57 AM, Lennart Poettering wrote:
> On Di, 23.06.20 09:41, Chris PeBenito (chpebeni at linux.microsoft.com) wrote:
> 
>> I've got some challenges using systemd's seccomp support because it
>> conflicts with the way my system is managed.  I need to manage the seccomp
>> SystemCallFilter lists in a central location (single directory) so that they
>> can be updated independently of the packages and portable services on my
>> systems. Would there be any objections to a patch that would add a new unit
>> option for loading the system call filter list out of a specified file?
> 
> seccomp is still only supports plain bpf, not ebpf iirc. For some of
> the ebpf uses we noawadays support that you can upload your filter
> yourself and then make systemd use it:
> IPIngressFilterPath=/IPEgressFilterPath=.
> 
> As soon as seccomp supports ebpf natively we could expose the same
> mechanism also for system call filtering, but until that happens I
> don't see any smart future-proof way to provide an interface for
> integrating your own filters with systemd.

I don't understand your concern; can you clarify?  Is it a concern about the 
kernel ABI stability for seccomp?


-- 
Chris PeBenito


More information about the systemd-devel mailing list