On Tue, 04.02.14 20:59, Ronny Chevalier ([email protected]) wrote: > There is no problem if someone do something like: > SystemCallFilter=write read execve > SystemCallFilter=ioperm > -- or -- > SystemCallFilter=~write read execve > SystemCallFilter=~ioperm > > But in a case like: > SystemCallFilter=~write read execve > SystemCallFilter=ioperm > > What about ioperm ? Should it be considered like ~ioperm ? If yes what > happen if someone do something like this: > SystemCallFilter=write read execve > SystemCallFilter=~ioperm > > Should we ignore the ~ioperm and generate an error ? or something else > ? Since it doesn't mean anything.
Hmm, so currently when the first line is with "~" we start from a full syscall set, and when it isn't with an empty set, and then we add/remove bits from it. And all subsequent lines will just continue adding/removing bits from this set. I'd claim this is a reasonably simple and obvious thing to do, as well as something that might even be useful to people -- think about people dropping in ".d/" snippets that want to readd a certain syscall that the .service file itself had dropped... > I mention this because I was about to send the new patch but I noticed > that in the previous patch and the new one I forgot about this part in > the documentation. So yeah, I figure we should continue with this logic, and of course probably document it... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
