summaryrefslogtreecommitdiffstats
path: root/man/systemd-nspawn.xml
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-09-14 10:18:57 +0200
committerLennart Poettering <lennart@poettering.net>2017-09-14 15:45:21 +0200
commit96bedbe2e5301fe0e93993de0e9a31baf2679168 (patch)
tree09abce13c62fd1713fa22d60d0fb879b683f1496 /man/systemd-nspawn.xml
parentseccomp: improve debug logging (diff)
downloadsystemd-96bedbe2e5301fe0e93993de0e9a31baf2679168.tar.xz
systemd-96bedbe2e5301fe0e93993de0e9a31baf2679168.zip
nspawn: replace syscall blacklist by a whitelist
Let's lock things down a bit, and maintain a list of what's permitted rather than a list of what's prohibited in nspawn (also to make things a bit more like Docker and friends). Note that this slightly alters the effect of --system-call-filter=, as now the negative list now takes precedence over the positive list. However, given that the option is just a few days old and not included in any released version it should be fine to change it at this point in time. Note that the whitelist is good chunk more restrictive thatn the previous blacklist. Specifically: - fanotify is not permitted (given the buffer size issues it's problematic in containers) - nfsservctl is not permitted (NFS server support is not virtualized) - pkey_xyz stuff is not permitted (really new stuff I don't grok) - @cpu-emulation is prohibited (untested legacy stuff mostly, and if people really want to run dosemu in nspawn, they should use --system-call-filter=@cpu-emulation and all should be good)
Diffstat (limited to 'man/systemd-nspawn.xml')
-rw-r--r--man/systemd-nspawn.xml6
1 files changed, 3 insertions, 3 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index c4db6a3ada..3951e32e8f 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -723,9 +723,9 @@
system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all
listed system calls are prohibited. If this command line option is used multiple times the configured lists are
combined. If both a positive and a negative list (that is one system call list without and one with the
- <literal>~</literal> prefix) are configured, the positive list takes precedence over the negative list. Note
- that <command>systemd-nspawn</command> always implements a system call blacklist (as opposed to a whitelist),
- and this command line option hence adds or removes entries from the default blacklist, depending on the
+ <literal>~</literal> prefix) are configured, the negative list takes precedence over the positive list. Note
+ that <command>systemd-nspawn</command> always implements a system call whitelist (as opposed to a blacklist),
+ and this command line option hence adds or removes entries from the default whitelist, depending on the
<literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional
capabilities are passed using the <command>--capabilities=</command>.</para></listitem>
</varlistentry>