Hello, I was looking into using RestrictFileSystems to further sandbox a service that already uses a lot of systemd's sandboxing options, including SystemCallFilter. After starting the service I was surprised to see an audit message in the kernel log (journalctl -t kernel -f) complaining about the "bpf" system call not being allowed. From my understanding the systemd process is usually responsible for lowering privileges, is this different here? For reference I tested this behavior on systemd 254.6 by running "systemd-run -t -p RestrictFileSystems="ext4" -p SystemCallFilter="@file-system @basic-io prctl ioctl bpf" ls /proc" as root. When removing "bpf" from the filter the aforementioned error in the kernel log occurs and ls doesn't start. With the "bpf" system call ls emits a permission error as /proc is not of type ext4. Regards, networkException
Unexpected system call requirements for RestrictFileSystems
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Unexpected system call requirements for RestrictFileSystems
- From: networkException <systemd@xxxxxxx>
- Date: Mon, 1 Jan 2024 01:26:33 +0100
- Prev by Date: sysupdate: Limit update to at most one major version
- Next by Date: Re: sysupdate: Limit update to at most one major version
- Previous by thread: sysupdate: Limit update to at most one major version
- Next by thread: Masking swap.target to disable swaps (on old systemd versions)
- Index(es):
 |