diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-12 18:28:21 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-12 18:30:36 +0100 |
| commit | 17df7223be064b1542dbe868e3b35cca977ee639 (patch) | |
| tree | 8c88ea1827e95cb5a0c639b17a30b4295b924f79 /man | |
| parent | c0467cf387548dc98c0254f63553d862b35a84e5 (diff) | |
core: rework syscall filter
- Allow configuration of an errno error to return from blacklisted
syscalls, instead of immediately terminating a process.
- Fix parsing logic when libseccomp support is turned off
- Only keep the actual syscall set in the ExecContext, and generate the
string version only on demand.
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 54 |
1 files changed, 39 insertions, 15 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0c6ca5acf..86ad7e223 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1001,7 +1001,7 @@ list of system call names. If this setting is used, all system calls executed by the unit - process except for the listed ones + processes except for the listed ones will result in immediate process termination with the <constant>SIGSYS</constant> signal @@ -1031,23 +1031,47 @@ prior assignments will have no effect.</para> - <para>If you specify both types of this option - (i.e. whitelisting and blacklisting) the first - encountered will take precedence and will - dictate the default action (termination - or approval of a system call). Then the - next occurrences of this option will add or - delete the listed system calls from the set - of the filtered system calls, depending of - its type and the default action (e.g. You - have started with a whitelisting of <function> - read</function> and <function>write</function> - and right after it add a blacklisting of - <function>write</function>, then <function> - write</function> will be removed from the set) + <para>If you specify both types of + this option (i.e. whitelisting and + blacklisting) the first encountered + will take precedence and will dictate + the default action (termination or + approval of a system call). Then the + next occurrences of this option will + add or delete the listed system calls + from the set of the filtered system + calls, depending of its type and the + default action (e.g. You have started + with a whitelisting of + <function>read</function> and + <function>write</function> and right + after it add a blacklisting of + <function>write</function>, then + <function>write</function> will be + removed from the set). </para></listitem> </varlistentry> + <varlistentry> + <term><varname>SystemCallErrorNumber=</varname></term> + + <listitem><para>Takes an + <literal>errno</literal> error number + name to return when the system call + filter configured with + <varname>SystemCallFilter=</varname> + is triggered, instead of terminating + the process immediately. Takes an + error name such as + <literal>EPERM</literal>, + <literal>EACCES</literal> or + <literal>EUCLEAN</literal>. When this + setting is not used, or when the empty + string is assigned the process will be + terminated immediately when the filter + is triggered.</para></listitem> + </varlistentry> + </variablelist> </refsect1> |