On Sat, 16.04.16 11:48, Topi Miettinen (toiwo...@gmail.com) wrote: > Hello, > > SystemCallFilter, while a nice feature, is not easy to use because there > are hundreds of system calls to be managed. > > I'm proposing to add a simpler way to prepare seccomp filters (to > complement SystemCallFilter), where the user can construct the filter by > using predefined system call groups or sets.
Yeah, sounds like a useful addition. But could you please post this as issue on github? We tend to track RFEs that way. > The same as whitelist: > SystemCallFilterSet=FileIO IPC Exec NetworkGeneral NetworkIOReceve > > SystemCallFilter lines would then modify the filters created by the > SystemCallFilterSet instead of starting from scratch. > > Alternatively SystemCallFilter syntax could be enhanced with the sets. > But then an old (downgraded) systemd would not understand the new syntax > and it would reject the entire line, which would remove all > filtering. Well, that's not unlike when new syscalls are added, so this issue sounds Ok to me. IIRC we simply warn and proceed if we find a token in the SystemCallFilter= line that we don't know. Hence, I think it would be nice to say that maybe all tokens in that line that start with an "@" or so, refer to such named, high-level lists. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
