On Wed, 04.02.15 02:21, Jay Faulkner (j...@jvf.cc) wrote: > > I am not particularly fond of the idea of adding a completely new > > command line option for this though. Maybe we can find another way for > > this. > > > > For example, one option could be to split the seccomp syscall > > blacklist in two: split out the kernel kmod related syscalls, and > > only add them to the seccomp filter if arg_retain does not include > > CAP_SYS_MODULE. This would then leave the module seccomp filters in > > place by default, however, if you add the CAP_SYS_MODULE cap to the > > container with --capability= then the seccomp filter is changed to > > also allow the module loading sys calls. > > I implemented this; the patch can be pulled directly from > https://github.com/jayofdoom/systemd/pull/2.patch to prevent me from > corrupting this along the way.
Applied, thanks! > As a note; unlike what we discussed in IRC, someone passing capability=all > will be covered for module loading in this situation, because all sets the > bitmask to -1, effectively enabling all capabilities. Yupp, I thought that was pretty much what I was saying on IRC. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel