On Sun, 16 Aug 2020 at 16:05, Steve Dodd <steved...@gmail.com> wrote:
That's interesting .. it's possible things don't work quite the way I think > they do, but I will try to find previous examples - I remember borgbackup > was affected on armhf fairly recently, for example. > Ah, the borgbackup thing was different - sync_file_range2 was missing from systemd's filter set. Here's the last "new syscall" issue though: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1883447 Hmm, this would make a ton of sense. We currently have a "log" seccomp >> action, but it will just log and allow anyway. we'd need another >> action that would log and refuse. Please file an RFE, or even better >> prep a PR for this! >> > > Looking at the kernel seccomp doc, I'm not actually sure it's possible, > from code at least: > > https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html > > But there is /proc/sys/kernel/seccomp/actions_logged which might do the > trick! > Ah, looks like we need to seccomp_attr_get(&ctx, SCMP_FLTATR_CTL_LOG, ..) somewhere for this to work. Not sure if that should be done unconditionally... S. >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
