* [ptxdist] systemd: seccomp
@ 2015-11-29 15:21 Clemens Gruber
2015-11-29 15:47 ` Uwe Kleine-König
0 siblings, 1 reply; 3+ messages in thread
From: Clemens Gruber @ 2015-11-29 15:21 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Olbrich
Hi,
I noticed that the systemd rule in ptxdist explicitly disables seccomp
support. Would be great to have support for SystemCallFilter in service
files.
I therefore added libseccomp and modified the systemd rule to enable
seccomp (optionally via a menu entry).
I use the current git master Linux kernel with CONFIG_SECCOMP enabled.
Even though systemctl --version shows +SECCOMP, the SystemCallFilter
statement does not have any effect.
For testing, I only allowed one syscall for a program which needs much
more, but it did still run normally as if no SystemCallFilter had been
set at all.
Platform used:
- ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
- x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly
Can you reproduce this and do you have any idea why this isn't working?
Thanks,
Clemens
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] systemd: seccomp
2015-11-29 15:21 [ptxdist] systemd: seccomp Clemens Gruber
@ 2015-11-29 15:47 ` Uwe Kleine-König
2015-12-20 15:30 ` Clemens Gruber
0 siblings, 1 reply; 3+ messages in thread
From: Uwe Kleine-König @ 2015-11-29 15:47 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Olbrich
Hello,
On Sun, Nov 29, 2015 at 04:21:32PM +0100, Clemens Gruber wrote:
> I noticed that the systemd rule in ptxdist explicitly disables seccomp
> support. Would be great to have support for SystemCallFilter in service
> files.
>
> I therefore added libseccomp and modified the systemd rule to enable
> seccomp (optionally via a menu entry).
> I use the current git master Linux kernel with CONFIG_SECCOMP enabled.
>
> Even though systemctl --version shows +SECCOMP, the SystemCallFilter
> statement does not have any effect.
> For testing, I only allowed one syscall for a program which needs much
> more, but it did still run normally as if no SystemCallFilter had been
> set at all.
>
> Platform used:
> - ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
> - x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly
the obvious cross test is to test arch on your i.MX6 and a ptxdist
generated os on your i7.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] systemd: seccomp
2015-11-29 15:47 ` Uwe Kleine-König
@ 2015-12-20 15:30 ` Clemens Gruber
0 siblings, 0 replies; 3+ messages in thread
From: Clemens Gruber @ 2015-12-20 15:30 UTC (permalink / raw)
To: ptxdist
Hi,
On Sun, Nov 29, 2015 at 04:47:13PM +0100, Uwe Kleine-König wrote:
> Hello,
>
> On Sun, Nov 29, 2015 at 04:21:32PM +0100, Clemens Gruber wrote:
> > I noticed that the systemd rule in ptxdist explicitly disables seccomp
> > support. Would be great to have support for SystemCallFilter in service
> > files.
> >
> > I therefore added libseccomp and modified the systemd rule to enable
> > seccomp (optionally via a menu entry).
> > I use the current git master Linux kernel with CONFIG_SECCOMP enabled.
> >
> > Even though systemctl --version shows +SECCOMP, the SystemCallFilter
> > statement does not have any effect.
> > For testing, I only allowed one syscall for a program which needs much
> > more, but it did still run normally as if no SystemCallFilter had been
> > set at all.
> >
> > Platform used:
> > - ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
> > - x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly
> the obvious cross test is to test arch on your i.MX6 and a ptxdist
> generated os on your i7.
>
> Best regards
> Uwe
Thanks Uwe. I looked into cross testing but customizing the ARM version
of ArchLinux to our custom board is too much work at the moment.
Maybe I can reproduce it with other ARM boards like the Raspberry Pi or
the BeagleBone Black, for which working ArchLinux images already exist.
Michael: Do you have an idea what could lead to the SystemCallFilter
having no effect even though systemd shows +SECCOMP?
If it's working for you, we could still add seccomp support for systemd
in ptxdist and I have to figure out why it isn't working on my i.MX6
board.
I noticed just now that I did not have CONFIG_CHECKPOINT_RESTORE enabled
in my kernel when testing systemd with seccomp. I will repeat the tests
with that configuration set, maybe that's the culprit..
Thanks,
Clemens
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-12-20 15:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-29 15:21 [ptxdist] systemd: seccomp Clemens Gruber
2015-11-29 15:47 ` Uwe Kleine-König
2015-12-20 15:30 ` Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox