On 8.7.2020 17.47, Chris PeBenito wrote:
I would like to implement a unit option that would make the seccomp
action SCMP_ACT_LOG so that I can test SystemCallFilter settings without
killing the services, like SELinux permissive mode.
I was reading this github issue about seccomp actions from last year:
https://github.com/systemd/systemd/issues/11967
While it mentioned other actions, it was mainly about changing the kill
action to kill the process rather than just the offending thread. There
wasn't a solid conclusion about how allow/log actions would work in
terms of unit options. I figure one option is adding a new option like
SystemCallFillterAllow=bool that would conflict with
SystemCallFilterErrno. If true it would set SCMP_ACT_LOG for the
action. Having a setting for SCMP_ACT_ALLOW seems redundant since it's
equivalent to commenting out the SystemCallFilter option since there's
no logging.
I think it would be more flexible to extend the error code return per
system call, like
SystemCallFilter=gettimeofday:LOG
For global error action, I'd propose SystemCallErrorNumber= to be
superseded by more generic
SystemCallErrorAction= KILL | LOG | errno code
-Topi
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
