[ptxdist] systemd: seccomp

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] systemd: seccomp
@ 2015-11-29 15:21 Clemens Gruber
  2015-11-29 15:47 ` Uwe Kleine-König
  0 siblings, 1 reply; 3+ messages in thread
From: Clemens Gruber @ 2015-11-29 15:21 UTC (permalink / raw)
  To: ptxdist; +Cc: Michael Olbrich

Hi,

I noticed that the systemd rule in ptxdist explicitly disables seccomp
support. Would be great to have support for SystemCallFilter in service
files.

I therefore added libseccomp and modified the systemd rule to enable
seccomp (optionally via a menu entry).
I use the current git master Linux kernel with CONFIG_SECCOMP enabled.

Even though systemctl --version shows +SECCOMP, the SystemCallFilter
statement does not have any effect.
For testing, I only allowed one syscall for a program which needs much
more, but it did still run normally as if no SystemCallFilter had been
set at all.

Platform used:
- ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
- x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly

Can you reproduce this and do you have any idea why this isn't working?

Thanks,
Clemens

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [ptxdist] systemd: seccomp
  2015-11-29 15:21 [ptxdist] systemd: seccomp Clemens Gruber
@ 2015-11-29 15:47 ` Uwe Kleine-König
  2015-12-20 15:30   ` Clemens Gruber
  0 siblings, 1 reply; 3+ messages in thread
From: Uwe Kleine-König @ 2015-11-29 15:47 UTC (permalink / raw)
  To: ptxdist; +Cc: Michael Olbrich

Hello,

On Sun, Nov 29, 2015 at 04:21:32PM +0100, Clemens Gruber wrote:
> I noticed that the systemd rule in ptxdist explicitly disables seccomp
> support. Would be great to have support for SystemCallFilter in service
> files.
> 
> I therefore added libseccomp and modified the systemd rule to enable
> seccomp (optionally via a menu entry).
> I use the current git master Linux kernel with CONFIG_SECCOMP enabled.
> 
> Even though systemctl --version shows +SECCOMP, the SystemCallFilter
> statement does not have any effect.
> For testing, I only allowed one syscall for a program which needs much
> more, but it did still run normally as if no SystemCallFilter had been
> set at all.
> 
> Platform used:
> - ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
> - x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly
the obvious cross test is to test arch on your i.MX6 and a ptxdist
generated os on your i7.

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [ptxdist] systemd: seccomp
  2015-11-29 15:47 ` Uwe Kleine-König
@ 2015-12-20 15:30   ` Clemens Gruber
  0 siblings, 0 replies; 3+ messages in thread
From: Clemens Gruber @ 2015-12-20 15:30 UTC (permalink / raw)
  To: ptxdist

Hi,

On Sun, Nov 29, 2015 at 04:47:13PM +0100, Uwe Kleine-König wrote:
> Hello,
> 
> On Sun, Nov 29, 2015 at 04:21:32PM +0100, Clemens Gruber wrote:
> > I noticed that the systemd rule in ptxdist explicitly disables seccomp
> > support. Would be great to have support for SystemCallFilter in service
> > files.
> > 
> > I therefore added libseccomp and modified the systemd rule to enable
> > seccomp (optionally via a menu entry).
> > I use the current git master Linux kernel with CONFIG_SECCOMP enabled.
> > 
> > Even though systemctl --version shows +SECCOMP, the SystemCallFilter
> > statement does not have any effect.
> > For testing, I only allowed one syscall for a program which needs much
> > more, but it did still run normally as if no SystemCallFilter had been
> > set at all.
> > 
> > Platform used:
> > - ARM (i.MX6Q) with ptxdist: SystemCallFilter had no effect
> > - x86_64 (Intel i7 6700K) with ArchLinux: Working perfectly
> the obvious cross test is to test arch on your i.MX6 and a ptxdist
> generated os on your i7.
> 
> Best regards
> Uwe

Thanks Uwe. I looked into cross testing but customizing the ARM version
of ArchLinux to our custom board is too much work at the moment.
Maybe I can reproduce it with other ARM boards like the Raspberry Pi or
the BeagleBone Black, for which working ArchLinux images already exist.

Michael: Do you have an idea what could lead to the SystemCallFilter
having no effect even though systemd shows +SECCOMP?

If it's working for you, we could still add seccomp support for systemd
in ptxdist and I have to figure out why it isn't working on my i.MX6
board.

I noticed just now that I did not have CONFIG_CHECKPOINT_RESTORE enabled
in my kernel when testing systemd with seccomp. I will repeat the tests
with that configuration set, maybe that's the culprit..

Thanks,
Clemens

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-12-20 15:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-29 15:21 [ptxdist] systemd: seccomp Clemens Gruber
2015-11-29 15:47 ` Uwe Kleine-König
2015-12-20 15:30   ` Clemens Gruber

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox