Systemd gets seccomp filter support
Posted Jul 17, 2012 18:46 UTC (Tue) by walters
In reply to: Systemd gets seccomp filter support
Parent article: Systemd gets seccomp filter support
The nice thing about seccomp is that userspace is responsible for providing the policy, and the kernel just enforces it,
That's true of SELinux as well; I assume you're referring to AppArmor here or something. Or unless you're talking about the ability of a userspace program to *dynamically* adjust its filter in response to configuration files or environment, in which case yes it's definitely more flexible (although the proposed systemd syntax doesn't allow run-time mutation).
What would be kind of interesting though is if shared libraries could come with lists of system calls they could possibly make. That way if e.g. your app upgrades from GLib 2.28 to 2.30 (in between a lot of things changed, but e.g. I switched the main loop to use eventfd instead of pipe()
), your app wouldn't have to change.
That'd require some integration work at the systemd side to introspect the binary before launching it and determine what shared libraries are used.
to post comments)