On Fri, 26 Jun 2020 at 16:53, Lennart Poettering <lennart@xxxxxxxxxxxxxx> wrote:
> > We implement a system call allow list, i.e. everything that isn't
> > explicitly allowed is denied. You can use --system-call-filter=openat2
> > to allow a specific syscall on top of our defaults, i.e. extend the
> > allow list, or remove entries from it.
[..]
You might need a newer libseccomp so that the syscall is actually
known by it. openat2 is a very recent syscall addition, and you need
to update libseccomp in lockstep if you want it to grok it.
I've just been bitten by this - last time I looked into a similar problem, it seemed the calling code was confused by getting EPERM instead of ENOSYS. Could we distinguish between these two cases and generate the right error code? It would save a lot of aggro when working with containers..
S.
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
