Unexpected system call requirements for RestrictFileSystems
networkException
systemd at nwex.de
Mon Jan 1 00:26:33 UTC 2024
Hello,
I was looking into using RestrictFileSystems to further sandbox a
service that already uses a lot of systemd's sandboxing options,
including SystemCallFilter.
After starting the service I was surprised to see an audit message in
the kernel log (journalctl -t kernel -f) complaining about the "bpf"
system call not being allowed. From my understanding the systemd process
is usually responsible for lowering privileges, is this different here?
For reference I tested this behavior on systemd 254.6 by running
"systemd-run -t -p RestrictFileSystems="ext4" -p
SystemCallFilter="@file-system @basic-io prctl ioctl bpf" ls /proc" as root.
When removing "bpf" from the filter the aforementioned error in the
kernel log occurs and ls doesn't start. With the "bpf" system call ls
emits a permission error as /proc is not of type ext4.
Regards,
networkException
More information about the systemd-devel
mailing list