Hello all, I was about to (re-)enable seccomp support in our systemd packages, and to write an integration test for it. However, it seems that this currently does not seem to work at all.
config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP, kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems fine. But if I have a unit like | [Unit] | Description=seccomp test | | [Service] | ExecStart=/bin/cat /etc/machine-id | SystemCallFilter=access (which really ought to fail) it just succeeds. Also, running ./test-execute as root fails in test_exec_systemcallfilter(): | exec-systemcallfilter-failing.service | UMask: 0022 | WorkingDirectory: /home/martin | RootDirectory: / | NonBlocking: no | PrivateTmp: no | PrivateNetwork: no | PrivateDevices: no | ProtectHome: no | ProtectSystem: no | IgnoreSIGPIPE: yes | StandardInput: null | StandardOutput: inherit | StandardError: inherit | This should not be seen | PID: 16439 | Start Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Code: exited | Exit Status: 0 | Assertion 'service->main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting. This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that working for anyone else? In particular, could you check if you have HAVE_SECCOMP and test-execute succeeds (as root) for you? Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel