After some additional testing, I found a bug in this patch where it would not
compile with seccomp disabled. I’ve updated the patch at
https://github.com/jayofdoom/systemd/pull/4.patch — also I’ve attached the
fixed patch.
-Jay
refactor-nspawn-map-seccomp-to-capabilities.patch
Description: refactor-nspawn-map-seccomp-to-capabilities.patch
On Feb 20, 2015, at 4:18 PM, Jay Faulkner < j...@jvf.cc> wrote:
<refactor-nspawn-map-seccomp-to-capabilities.patch>Thanks, Jay Faulkner On Feb 20, 2015, at 2:24 PM, Jay Faulkner < j...@jvf.cc> wrote:
Hi all,
Two weeks ago[1] I patched systemd-nspawn to respect CAP_SYS_MODULE with regards to setting seccomp filters. As I needed access to some of the other blocked syscalls as well, I have a patch to map all seccomp filters to various capabilities, and
to only set those filters if the matching capability is dropped. The matching capabilities were taken from the man pages of the syscalls involved.
I’d also suggest that in the future, additional filters use this same mapping as to avoid breaking use cases like mine in the future. :)
Thanks,
Jay Faulkner
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.orghttp://lists.freedesktop.org/mailman/listinfo/systemd-devel
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.orghttp://lists.freedesktop.org/mailman/listinfo/systemd-devel
|
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
