both libseccomp and systemd's use of it needs to be ported to arm, which supports seccomp filter mode.
On Tue, Feb 4, 2014 at 2:40 PM, Lennart Poettering <lenn...@poettering.net> wrote: > On Tue, 04.02.14 20:59, Ronny Chevalier (chevalier.ro...@gmail.com) wrote: > >> There is no problem if someone do something like: >> SystemCallFilter=write read execve >> SystemCallFilter=ioperm >> -- or -- >> SystemCallFilter=~write read execve >> SystemCallFilter=~ioperm >> >> But in a case like: >> SystemCallFilter=~write read execve >> SystemCallFilter=ioperm >> >> What about ioperm ? Should it be considered like ~ioperm ? If yes what >> happen if someone do something like this: >> SystemCallFilter=write read execve >> SystemCallFilter=~ioperm >> >> Should we ignore the ~ioperm and generate an error ? or something else >> ? Since it doesn't mean anything. > > Hmm, so currently when the first line is with "~" we start from a full > syscall set, and when it isn't with an empty set, and then we add/remove > bits from it. And all subsequent lines will just continue > adding/removing bits from this set. I'd claim this is a reasonably > simple and obvious thing to do, as well as something that might even be > useful to people -- think about people dropping in ".d/" snippets that > want to readd a certain syscall that the .service file itself had > dropped... > >> I mention this because I was about to send the new patch but I noticed >> that in the previous patch and the new one I forgot about this part in >> the documentation. > > So yeah, I figure we should continue with this logic, and of course > probably document it... > > Lennart > > -- > Lennart Poettering, Red Hat > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Shawn Landden +1 360 389 3001 (SMS preferred) _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
