Hi all, My apologies if this is frowned upon, but this has been posted for a week and I haven’t gotten any feedback on it. I’d appreciate if this could get reviewed and if adequate, merged. I’m waiting on this change in order to be able to continue using systemd-nspawn containers, properly configured, to perform system tasks (such as firmware and bios flashing).
Thanks, Jay Faulkner On Feb 20, 2015, at 6:59 PM, Jay Faulkner <[email protected]<mailto:[email protected]>> wrote: After some additional testing, I found a bug in this patch where it would not compile with seccomp disabled. I’ve updated the patch at https://github.com/jayofdoom/systemd/pull/4.patch — also I’ve attached the fixed patch. -Jay <refactor-nspawn-map-seccomp-to-capabilities.patch> On Feb 20, 2015, at 4:18 PM, Jay Faulkner <[email protected]<mailto:[email protected]>> wrote: Hi all, At the suggestion (and with the assistance of) a co-worker, we remade this patch to not have quite as much repeated code. The new version is attached and can be found here https://github.com/jayofdoom/systemd/pull/4.patch — thanks! <refactor-nspawn-map-seccomp-to-capabilities.patch> Thanks, Jay Faulkner On Feb 20, 2015, at 2:24 PM, Jay Faulkner <[email protected]<mailto:[email protected]>> wrote: Hi all, Two weeks ago[1] I patched systemd-nspawn to respect CAP_SYS_MODULE with regards to setting seccomp filters. As I needed access to some of the other blocked syscalls as well, I have a patch to map all seccomp filters to various capabilities, and to only set those filters if the matching capability is dropped. The matching capabilities were taken from the man pages of the syscalls involved. I’d also suggest that in the future, additional filters use this same mapping as to avoid breaking use cases like mine in the future. :) The patch is attached, but in case it gets mangled in transport as the last one did, feel free to get it directly from github here: https://github.com/jayofdoom/systemd/pull/3.patch. Thanks, Jay Faulkner <nspawn-map-seccomp-to-capabilities.patch> _______________________________________________ systemd-devel mailing list [email protected]<mailto:[email protected]> http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list [email protected]<mailto:[email protected]> http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list [email protected]<mailto:[email protected]> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
