[systemd-devel] How to disable seccomp in systemd-nspawn?
Lennart Poettering
lennart at poettering.net
Fri Jun 26 15:53:16 UTC 2020
On Do, 25.06.20 20:19, Mohan R (mohan43u at gmail.com) wrote:
> Hi
>
> On Thu, Jun 25, 2020 at 2:17 PM Lennart Poettering
> <lennart at poettering.net> wrote:
> > You can't disable seccomp right now.
>
> Any future plan to include a flag or some other way?
>
> > We implement a system call allow list, i.e. everything that isn't
> > explicitly allowed is denied. You can use --system-call-filter=openat2
> > to allow a specific syscall on top of our defaults, i.e. extend the
> > allow list, or remove entries from it.
>
> This '--system-call-filter' isn't working,
> https://gist.github.com/mohan43u/6ed44eff564f10cc04c709772b02c323
>
> Is this a bug in systemd-nspawn?
You might need a newer libseccomp so that the syscall is actually
known by it. openat2 is a very recent syscall addition, and you need
to update libseccomp in lockstep if you want it to grok it.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list