On Di, 23.06.20 09:41, Chris PeBenito (chpebeni@xxxxxxxxxxxxxxxxxxx) wrote: > I've got some challenges using systemd's seccomp support because it > conflicts with the way my system is managed. I need to manage the seccomp > SystemCallFilter lists in a central location (single directory) so that they > can be updated independently of the packages and portable services on my > systems. Would there be any objections to a patch that would add a new unit > option for loading the system call filter list out of a specified file? seccomp is still only supports plain bpf, not ebpf iirc. For some of the ebpf uses we noawadays support that you can upload your filter yourself and then make systemd use it: IPIngressFilterPath=/IPEgressFilterPath=. As soon as seccomp supports ebpf natively we could expose the same mechanism also for system call filtering, but until that happens I don't see any smart future-proof way to provide an interface for integrating your own filters with systemd. That said: you could also just use unit drop-ins, i.e. write a common drop-in file that contains the filter you want to define and then symlink it in to the relevant unit .d/ subdirs. That way you can have a common definition that is used by a variety of services. This is in fact what portablectl's --profile= logic internally does: it just symlinks a common .d/ drop-in into all service files it attaches. The common profiles are shipped in /usr/lib/systemd/portable/profile/. Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel