Re: [RFC] Seccomp filters from file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mi, 24.06.20 09:02, Chris PeBenito (chpebeni@xxxxxxxxxxxxxxxxxxx) wrote:

> On 6/23/20 10:57 AM, Lennart Poettering wrote:
> > On Di, 23.06.20 09:41, Chris PeBenito (chpebeni@xxxxxxxxxxxxxxxxxxx) wrote:
> >
> > > I've got some challenges using systemd's seccomp support because it
> > > conflicts with the way my system is managed.  I need to manage the seccomp
> > > SystemCallFilter lists in a central location (single directory) so that they
> > > can be updated independently of the packages and portable services on my
> > > systems. Would there be any objections to a patch that would add a new unit
> > > option for loading the system call filter list out of a specified file?
> >
> > seccomp is still only supports plain bpf, not ebpf iirc. For some of
> > the ebpf uses we noawadays support that you can upload your filter
> > yourself and then make systemd use it:
> > IPIngressFilterPath=/IPEgressFilterPath=.
> >
> > As soon as seccomp supports ebpf natively we could expose the same
> > mechanism also for system call filtering, but until that happens I
> > don't see any smart future-proof way to provide an interface for
> > integrating your own filters with systemd.
>
> I don't understand your concern; can you clarify?  Is it a concern about the
> kernel ABI stability for seccomp?

iiuc you cannot upload seccomp filters via the bpf() syscall, hence
they cannot show up in bpffs either, but the IPIngressFilterPath= is
built around bpffs paths...

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux