[systemd-devel] [RFC] Seccomp filters from file
Lennart Poettering
lennart at poettering.net
Wed Jun 24 13:18:09 UTC 2020
On Mi, 24.06.20 09:02, Chris PeBenito (chpebeni at linux.microsoft.com) wrote:
> On 6/23/20 10:57 AM, Lennart Poettering wrote:
> > On Di, 23.06.20 09:41, Chris PeBenito (chpebeni at linux.microsoft.com) wrote:
> >
> > > I've got some challenges using systemd's seccomp support because it
> > > conflicts with the way my system is managed. I need to manage the seccomp
> > > SystemCallFilter lists in a central location (single directory) so that they
> > > can be updated independently of the packages and portable services on my
> > > systems. Would there be any objections to a patch that would add a new unit
> > > option for loading the system call filter list out of a specified file?
> >
> > seccomp is still only supports plain bpf, not ebpf iirc. For some of
> > the ebpf uses we noawadays support that you can upload your filter
> > yourself and then make systemd use it:
> > IPIngressFilterPath=/IPEgressFilterPath=.
> >
> > As soon as seccomp supports ebpf natively we could expose the same
> > mechanism also for system call filtering, but until that happens I
> > don't see any smart future-proof way to provide an interface for
> > integrating your own filters with systemd.
>
> I don't understand your concern; can you clarify? Is it a concern about the
> kernel ABI stability for seccomp?
iiuc you cannot upload seccomp filters via the bpf() syscall, hence
they cannot show up in bpffs either, but the IPIngressFilterPath= is
built around bpffs paths...
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list