On Di, 28.05.19 17:16, Josef Moellers (jmoellers@xxxxxxx) wrote: > On 28.05.19 16:59, Lennart Poettering wrote: > > On Di, 28.05.19 14:04, Josef Moellers (jmoellers@xxxxxxx) wrote: > > > >>> Regarding the syscall groupings: yes, the groups exist precisely to > >>> improve cases like this. That said, I think we should be careful not > >>> have an inflation of groups, and we should ask twice whether a group > >>> is really desirable before adding it. I'd argue in the open/openat > >>> case the case is not strong enough though: writing a filter > >>> blacklisting those is very difficult, as it means you cannot run > >>> programs with dynamic libraries (as loading those requires > >>> open/openat), which hence limits the applications very much and > >>> restricts its use to very few, very technical cases. In those case I > >>> have the suspicion the writer of the filters needs to know in very > >>> much detail what the semantics are anyway, and he hence isn't helped > >>> too much by this group. > >>> > >>> Note that the @file-system group already includes both, so maybe > >>> that's a more adequate solution? (not usable for blacklisting though, > >>> only for whirelisting, realistically). > >>> > >>> Hence, I would argue this is a documentation issue, not a bug > >>> really... Does that make sense? > >> Yes. > >> > >> Linux has always been a moving target and in very many circumstances > >> this has been A Good Idea! > >> I guess I'm too much old school and try to keep to the principle of > >> least surprise. > > > > I added some docs about this to this PR: > > > > https://github.com/systemd/systemd/pull/12686 > > > > ptal! > > ... and in the section about SyscallErrorNumber, there is a duplicate > remark: > > See (see <citerefentry > project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry> > for a full list) for a full list of error codes. > > ... unless this is somehow mangled by the documetation builder. I fixed both issues now, and submitted as new PR: https://github.com/systemd/systemd/pull/12847 (btw, please always add review comments to the github PR rather than the mailing list, it's a lot easier to keep track of for us, and remember what is cared for already and what not) ptal, thanks, Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: SystemCallFilter
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: SystemCallFilter
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 20 Jun 2019 15:13:23 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <b846253a-0b77-7efd-d470-1684633cf46b@suse.de>
- References: <3ab129cd-4b3d-9317-4e0d-490f6f6d4a5c@suse.de> <20190528115706.GB14946@gardel-login> <536d5494-f3ff-0c37-7499-bb1505ba402e@suse.de> <20190528145951.GA15356@gardel-login> <b846253a-0b77-7efd-d470-1684633cf46b@suse.de>
- References:
- SystemCallFilter
- From: Josef Moellers
- Re: SystemCallFilter
- From: Lennart Poettering
- Re: SystemCallFilter
- From: Josef Moellers
- Re: SystemCallFilter
- From: Lennart Poettering
- Re: SystemCallFilter
- From: Josef Moellers
- SystemCallFilter
- Prev by Date: Re: Delegate v1 cgroup controller permissions
- Next by Date: Re: [vfio-users] Fwd: Proper way for systemd service to wait mdev gvt device initialization
- Previous by thread: Re: SystemCallFilter
- Next by thread: RFC: temporarily deactivating udev rules during coldplug
- Index(es):
 |