LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Systemd gets seccomp filter support

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:43 UTC (Tue) by mezcalero (subscriber, #45103)
In reply to: Systemd gets seccomp filter support by felixfix
Parent article: Systemd gets seccomp filter support

Almost no service in a systemd install actually causes the boot to fail. Basically only file system mounts can do that, and very little else.

But in general this discussion is really pointless. If you write a syscall filter list, an SELinux policy, a capabilities list, or an apparmor policy: they all have in common that you need a good idea what a specific program is allowed to do and what not. So syscall filter lists have the same "problem" as any other security technology, there is nothing new in this.

Note however that of all these techs listed above writing a syscall filter list is probably by far the easiest though since most admins probably played around with the tool for that at least once in their life: strace.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds