diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-09-11 17:45:21 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-09-12 14:06:21 +0200 |
| commit | 960e4569e17abf7c84f07b697d57ac7d0418edfc (patch) | |
| tree | dd8c180c850f0c97fdf6811b6296e79a6d5b7d6b /man/systemd-nspawn.xml | |
| parent | nspawn: replace homegrown seccomp filter table largely with references to the... (diff) | |
| download | systemd-960e4569e17abf7c84f07b697d57ac7d0418edfc.tar.xz systemd-960e4569e17abf7c84f07b697d57ac7d0418edfc.zip | |
nspawn: implement configurable syscall whitelisting/blacklisting
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.
This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.
(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)
Fixes: #5163
Replaces: #5944
Diffstat (limited to 'man/systemd-nspawn.xml')
| -rw-r--r-- | man/systemd-nspawn.xml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 5d3212dec7..c4db6a3ada 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -714,6 +714,23 @@ </varlistentry> <varlistentry> + <term><option>--system-call-filter=</option></term> + + <listitem><para>Alter the system call filter applied to containers. Takes a space-separated list of system call + names or group names (the latter prefixed with <literal>@</literal>, as listed by the + <command>syscall-filter</command> command of <citerefentry + project='man-pages'><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed + system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all + listed system calls are prohibited. If this command line option is used multiple times the configured lists are + combined. If both a positive and a negative list (that is one system call list without and one with the + <literal>~</literal> prefix) are configured, the positive list takes precedence over the negative list. Note + that <command>systemd-nspawn</command> always implements a system call blacklist (as opposed to a whitelist), + and this command line option hence adds or removes entries from the default blacklist, depending on the + <literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional + capabilities are passed using the <command>--capabilities=</command>.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--kill-signal=</option></term> <listitem><para>Specify the process signal to send to the |