Re: [systemd-devel] [PATCH] refactored Re: [PATCH] nspawn: Map all seccomp filters to matching capabilities

[Jay Faulkner]

Hey,

Lennart reviewed this in IRC and suggested I refactor the change in this 
manner. Now, we have an array of capability:sys call pairs, and iterate through 
that and then only add the seccomp filter if the capability doesn’t exist.

The new patch is attached, and available here: 
https://github.com/jayofdoom/systemd/pull/5.patch.

nspawn-seccomp-capabilities.patch
Description: nspawn-seccomp-capabilities.patch

Thanks all, Jay Faulkner On Feb 27, 2015, at 12:15 PM, Jay Faulkner <j...@jvf.cc> wrote: Hi all, My apologies if this is frowned upon, but this has been posted for a week and I haven’t gotten any feedback on it. I’d appreciate if this could get reviewed and if adequate, merged. I’m waiting on this change in order to be able to continue using systemd-nspawn containers, properly configured, to perform system tasks (such as firmware and bios flashing). Thanks, Jay Faulkner On Feb 20, 2015, at 6:59 PM, Jay Faulkner <j...@jvf.cc> wrote: After some additional testing, I found a bug in this patch where it would not compile with seccomp disabled. I’ve updated the patch at https://github.com/jayofdoom/systemd/pull/4.patch — also I’ve attached the fixed patch. -Jay <refactor-nspawn-map-seccomp-to-capabilities.patch> On Feb 20, 2015, at 4:18 PM, Jay Faulkner <j...@jvf.cc> wrote: Hi all, At the suggestion (and with the assistance of) a co-worker, we remade this patch to not have quite as much repeated code. The new version is attached and can be found here https://github.com/jayofdoom/systemd/pull/4.patch — thanks! <refactor-nspawn-map-seccomp-to-capabilities.patch> Thanks, Jay Faulkner On Feb 20, 2015, at 2:24 PM, Jay Faulkner <j...@jvf.cc> wrote: Hi all, Two weeks ago[1] I patched systemd-nspawn to respect CAP_SYS_MODULE with regards to setting seccomp filters. As I needed access to some of the other blocked syscalls as well, I have a patch to map all seccomp filters to various capabilities, and to only set those filters if the matching capability is dropped. The matching capabilities were taken from the man pages of the syscalls involved. I’d also suggest that in the future, additional filters use this same mapping as to avoid breaking use cases like mine in the future. :) The patch is attached, but in case it gets mangled in transport as the last one did, feel free to get it directly from github here:  https://github.com/jayofdoom/systemd/pull/3.patch. Thanks, Jay Faulkner <nspawn-map-seccomp-to-capabilities.patch> _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel