Hello, SystemCallFilter, while a nice feature, is not easy to use because there are hundreds of system calls to be managed.
I'm proposing to add a simpler way to prepare seccomp filters (to complement SystemCallFilter), where the user can construct the filter by using predefined system call groups or sets. Looking at the system calls, they can be arranged in roughly following groups/sets: SysAdmin: mknod, [u]mount, pivot_root, init_module, set*id, reboot and so forth, all system calls where superuser capabilities are always needed. NetworkIO: socket, bind, connect, sendto, listen, accept etc. FileIO: most of the calls, open, read, ioctl etc. IPC: mq_*, msg*, sem*, shm* Exec (poor name): clone, execve, [v]fork, unshare For finer tuning, the sets could be subdivided with subgroups like NetworkIOSend (only sendto etc.), NetworkIOReceive and NetworkIOGeneral (for the rest), so that NetworkIO = NetworkIOGeneral + NetworkIOSend + NetworkIOReceive. The possibilities to subdivide are of course endless, but as the overall goal is to make user's life simpler, it would not make sense to introduce hundreds of groups because then we'd be back to where we started. An example of the syntax would be: Blacklisting version: SystemCallFilterSet=~SysAdmin NetworkIOWrite The same as whitelist: SystemCallFilterSet=FileIO IPC Exec NetworkGeneral NetworkIOReceve SystemCallFilter lines would then modify the filters created by the SystemCallFilterSet instead of starting from scratch. Alternatively SystemCallFilter syntax could be enhanced with the sets. But then an old (downgraded) systemd would not understand the new syntax and it would reject the entire line, which would remove all filtering. Maybe this feature could be updated when kernel (or more likely seccomp) introduces new syscalls without changing the syntax. For example, if a new privileged system call blinkenlights is added by kernel 7.3, it could be added to SysAdmin set. The downside is that the filter would expand when whitelisting and it would not be exactly same for different kernel or systemd versions. -Topi _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
