[systemd-devel] How to disable seccomp in systemd-nspawn?

Lennart Poettering lennart at poettering.net
Thu Jun 25 08:47:18 UTC 2020


On Mi, 24.06.20 23:13, Mohan R (mohan43u at gmail.com) wrote:

> Hi,
>
> How to disable seccomp in systemd-nspawn? I'm facing issue while
> running fuse-overlayfs and I reported it

You can't disable seccomp right now.

> https://github.com/containers/fuse-overlayfs/issues/220#issuecomment-648865831
>
> Developer asked me to check if the container is seccomp filtered, as
> suspected systemd-nspawn put the container inside seccomp faltered
> (Seccomp: 2). But I'm not able to get the list of filtered syscalls or
> I'm not able to find out why 'openat2()' is returning EPERM inside the
> systemd-nspawn container.

We implement a system call allow list, i.e. everything that isn't
explicitly allowed is denied. You can use --system-call-filter=openat2
to allow a specific syscall on top of our defaults, i.e. extend the
allow list, or remove entries from it.

Generic application code should have fallbacks in place when it comes
to new system calls such as openat2(), if they are supposed to work on
kernels that aren't the very newest or in containerized environments,
since pretty much all of them employ a syscall filter allow list these
days.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list