On So, 12.07.20 18:35, Reindl Harald (h.reindl@xxxxxxxxxxxxx) wrote: > why are these bad and scored? > including syscalls to the blacklist is hardly wrong Sounds like a bug. Can you file it on github please? I figure the tool becomes confused by the blacklist logic. Doing a whitelist is the preferred way and it handles that much better. Please provide the unit file in question in the github issue. > systemd-243.8-1.fc31.x86_64 > > ✗ SystemCallFilter=~@clock System > call blacklist defined for service, and @clock is included 0.1 > ✗ SystemCallFilter=~@debug System > call blacklist defined for service, and @debug is included 0.1 > ✗ SystemCallFilter=~@module System > call blacklist defined for service, and @module is included 0.1 > ✗ SystemCallFilter=~@mount System > call blacklist defined for service, and @mount is included 0.1 > ✗ SystemCallFilter=~@raw-io System > call blacklist defined for service, and @raw-io is included 0.1 > ✗ SystemCallFilter=~@reboot System > call blacklist defined for service, and @reboot is included 0.1 > ✗ SystemCallFilter=~@swap System > call blacklist defined for service, and @swap is included 0.1 > ✗ SystemCallFilter=~@privileged System > call blacklist defined for service, and @privileged is not included 0.2 > ✗ SystemCallFilter=~@resources System > call blacklist defined for service, and @resources is not included 0.2 > _______________________________________________ > systemd-devel mailing list > systemd-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/systemd-devel Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: systemd-analyze security and SystemCallFilter
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd-analyze security and SystemCallFilter
- From: Lennart Poettering <mzerqung@xxxxxxxxxxx>
- Date: Tue, 14 Jul 2020 10:15:35 +0200
- Cc: systemd Development List <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <0259e9b7-a49b-8ad5-ffa4-2472f8d54706@thelounge.net>
- References: <0259e9b7-a49b-8ad5-ffa4-2472f8d54706@thelounge.net>
- References:
- systemd-analyze security and SystemCallFilter
- From: Reindl Harald
- systemd-analyze security and SystemCallFilter
- Prev by Date: Re: workaround for systemd-networkd-wait-online boot fail/delay on systems with bridge for v234? (fix @ systemd/issues/2154 requires v>242)
- Next by Date: Re: vt220 default for serial console still relevant?
- Previous by thread: systemd-analyze security and SystemCallFilter
- Next by thread: systemctl reboot is allowed as normal user, where is this configured
- Index(es):
 |