Re: How to disable seccomp in systemd-nspawn?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 25.06.20 20:19, Mohan R (mohan43u@xxxxxxxxx) wrote:

> Hi
>
> On Thu, Jun 25, 2020 at 2:17 PM Lennart Poettering
> <lennart@xxxxxxxxxxxxxx> wrote:
> > You can't disable seccomp right now.
>
> Any future plan to include a flag or some other way?
>
> > We implement a system call allow list, i.e. everything that isn't
> > explicitly allowed is denied. You can use --system-call-filter=openat2
> > to allow a specific syscall on top of our defaults, i.e. extend the
> > allow list, or remove entries from it.
>
> This '--system-call-filter' isn't working,
> https://gist.github.com/mohan43u/6ed44eff564f10cc04c709772b02c323
>
> Is this a bug in systemd-nspawn?

You might need a newer libseccomp so that the syscall is actually
known by it. openat2 is a very recent syscall addition, and you need
to update libseccomp in lockstep if you want it to grok it.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux