On 6/23/20 10:57 AM, Lennart Poettering wrote:
On Di, 23.06.20 09:41, Chris PeBenito (chpebeni@xxxxxxxxxxxxxxxxxxx) wrote:
I've got some challenges using systemd's seccomp support because it
conflicts with the way my system is managed. I need to manage the seccomp
SystemCallFilter lists in a central location (single directory) so that they
can be updated independently of the packages and portable services on my
systems. Would there be any objections to a patch that would add a new unit
option for loading the system call filter list out of a specified file?
seccomp is still only supports plain bpf, not ebpf iirc. For some of
the ebpf uses we noawadays support that you can upload your filter
yourself and then make systemd use it:
IPIngressFilterPath=/IPEgressFilterPath=.
As soon as seccomp supports ebpf natively we could expose the same
mechanism also for system call filtering, but until that happens I
don't see any smart future-proof way to provide an interface for
integrating your own filters with systemd.
I don't understand your concern; can you clarify? Is it a concern about the
kernel ABI stability for seccomp?
--
Chris PeBenito
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
