On Tue, 09.06.15 13:00, Martin Pitt (martin.p...@ubuntu.com) wrote: > Hello all, > > I was about to (re-)enable seccomp support in our systemd packages, > and to write an integration test for it. However, it seems that this > currently does not seem to work at all.
Works fine here. > config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP, > kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and > CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems > fine. Same settings here, on Fedora. All works fine. > But if I have a unit like > > | [Unit] > | Description=seccomp test > | > | [Service] > | ExecStart=/bin/cat /etc/machine-id > | SystemCallFilter=access > > (which really ought to fail) it just succeeds. Also, running This fails here, as it should. > ./test-execute as root fails in test_exec_systemcallfilter(): > > | exec-systemcallfilter-failing.service > | UMask: 0022 > | WorkingDirectory: /home/martin > | RootDirectory: / > | NonBlocking: no > | PrivateTmp: no > | PrivateNetwork: no > | PrivateDevices: no > | ProtectHome: no > | ProtectSystem: no > | IgnoreSIGPIPE: yes > | StandardInput: null > | StandardOutput: inherit > | StandardError: inherit > | This should not be seen > | PID: 16439 > | Start Timestamp: Tue 2015-06-09 12:56:51 CEST > | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST > | Exit Code: exited > | Exit Status: 0 > | Assertion 'service->main_exec_status.status == status_expected' failed at > src/test/test-execute.c:57, function check(). Aborting. > > This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that > working for anyone else? In particular, could you check if you have > HAVE_SECCOMP and test-execute succeeds (as root) for you? The test works fine here too. Seems to be specific to your distro/setup? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel