On Sun, 16 Aug 2020 at 16:05, Steve Dodd <steved424@xxxxxxxxx> wrote:
That's interesting .. it's possible things don't work quite the way I think they do, but I will try to find previous examples - I remember borgbackup was affected on armhf fairly recently, for example.
Ah, the borgbackup thing was different - sync_file_range2 was missing from systemd's filter set. Here's the last "new syscall" issue though:
Hmm, this would make a ton of sense. We currently have a "log" seccomp
action, but it will just log and allow anyway. we'd need another
action that would log and refuse. Please file an RFE, or even better
prep a PR for this!Looking at the kernel seccomp doc, I'm not actually sure it's possible, from code at least:But there is /proc/sys/kernel/seccomp/actions_logged which might do the trick!
Ah, looks like we need to seccomp_attr_get(&ctx, SCMP_FLTATR_CTL_LOG, ..) somewhere for this to work. Not sure if that should be done unconditionally...
S.
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
