On Mo, 14.12.20 14:54, Adi Ml (maladi1747@xxxxxxxxx) wrote: > Hi, > > I would like to harden my udev service with the > SystemCallFilter option. What systemcalls should be permitted/allowed in > order to secure it and avoid irrelevant system calls? We apply system call filters to all long running services included in systemd by default — but we don't for udev because we cannot. It's more of an "application server" if you so will, that can run other code, as people can drop in rules of any kind if they wish. And we don't know what that'll be and what it wants to use. Hence we don't. In specific setups that only supports very specific software you can of course put together your own rules, but that's only something you can do, if you know the stuff you run. You may use "SystemCallLog=" (added in v247) in the udev unit file to make the kernel log all system calls that are done by a service. Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Udev hardening
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Udev hardening
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Wed, 16 Dec 2020 22:13:12 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAOMQ7b597AAOXkHGvsQ7hAzAdCzDunCn8ExugLEH8kUR1_x4hA@mail.gmail.com>
- References: <CAOMQ7b597AAOXkHGvsQ7hAzAdCzDunCn8ExugLEH8kUR1_x4hA@mail.gmail.com>
- References:
- Udev hardening
- From: Adi Ml
- Udev hardening
- Prev by Date: Re: Antw: [EXT] Re: Creating executable device nodes in /dev?
- Next by Date: systemd 244 version Execstop issue
- Previous by thread: Re: Udev hardening
- Next by thread: log_assert_failed_realm: systemd journal related crash
- Index(es):
 |