[systemd-devel] [RFC] Seccomp filters from file
Chris PeBenito
chpebeni at linux.microsoft.com
Wed Jun 24 13:02:40 UTC 2020
On 6/23/20 10:57 AM, Lennart Poettering wrote:
> On Di, 23.06.20 09:41, Chris PeBenito (chpebeni at linux.microsoft.com) wrote:
>
>> I've got some challenges using systemd's seccomp support because it
>> conflicts with the way my system is managed. I need to manage the seccomp
>> SystemCallFilter lists in a central location (single directory) so that they
>> can be updated independently of the packages and portable services on my
>> systems. Would there be any objections to a patch that would add a new unit
>> option for loading the system call filter list out of a specified file?
>
> seccomp is still only supports plain bpf, not ebpf iirc. For some of
> the ebpf uses we noawadays support that you can upload your filter
> yourself and then make systemd use it:
> IPIngressFilterPath=/IPEgressFilterPath=.
>
> As soon as seccomp supports ebpf natively we could expose the same
> mechanism also for system call filtering, but until that happens I
> don't see any smart future-proof way to provide an interface for
> integrating your own filters with systemd.
I don't understand your concern; can you clarify? Is it a concern about the
kernel ABI stability for seccomp?
--
Chris PeBenito
More information about the systemd-devel
mailing list