list of system call
names. If this setting is used, all
system calls executed by the unit
- process except for the listed ones
+ processes except for the listed ones
will result in immediate process
termination with the
<constant>SIGSYS</constant> signal
prior assignments will have no
effect.</para>
- <para>If you specify both types of this option
- (i.e. whitelisting and blacklisting) the first
- encountered will take precedence and will
- dictate the default action (termination
- or approval of a system call). Then the
- next occurrences of this option will add or
- delete the listed system calls from the set
- of the filtered system calls, depending of
- its type and the default action (e.g. You
- have started with a whitelisting of <function>
- read</function> and <function>write</function>
- and right after it add a blacklisting of
- <function>write</function>, then <function>
- write</function> will be removed from the set)
+ <para>If you specify both types of
+ this option (i.e. whitelisting and
+ blacklisting) the first encountered
+ will take precedence and will dictate
+ the default action (termination or
+ approval of a system call). Then the
+ next occurrences of this option will
+ add or delete the listed system calls
+ from the set of the filtered system
+ calls, depending of its type and the
+ default action (e.g. You have started
+ with a whitelisting of
+ <function>read</function> and
+ <function>write</function> and right
+ after it add a blacklisting of
+ <function>write</function>, then
+ <function>write</function> will be
+ removed from the set).
</para></listitem>
+
+ <para>Note that setting
+ <varname>SystemCallFilter=</varname>
+ implies a
+ <varname>SystemCallArchitectures=</varname>
+ setting of <literal>native</literal>
+ (see below), unless that option is
+ configured otherwise.</para>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallErrorNumber=</varname></term>
+
+ <listitem><para>Takes an
+ <literal>errno</literal> error number
+ name to return when the system call
+ filter configured with
+ <varname>SystemCallFilter=</varname>
+ is triggered, instead of terminating
+ the process immediately. Takes an
+ error name such as
+ <literal>EPERM</literal>,
+ <literal>EACCES</literal> or
+ <literal>EUCLEAN</literal>. When this
+ setting is not used, or when the empty
+ string is assigned the process will be
+ terminated immediately when the filter
+ is triggered.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallArchitectures=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ <literal>x86</literal>,
+ <literal>x86-64</literal>,
+ <literal>x32</literal>,
+ <literal>arm</literal> as well as the
+ special identifier
+ <literal>native</literal>. Only system
+ calls of the specified architectures
+ will be permitted to processes of this
+ unit. This is an effective way to
+ disable compatibility with non-native
+ architectures for processes, for
+ example to prohibit execution of 32bit
+ x86 binaries on 64bit x86-64
+ systems. The special
+ <literal>native</literal> identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). Note
+ that setting this option to a
+ non-empty list implies that
+ <literal>native</literal> is included
+ too. By default this option is set to
+ the empty list, i.e. no architecture
+ system call filtering is applied. Note
+ that configuring a system call filter
+ with
+ <varname>SystemCallFilter=</varname>
+ (above) implies a
+ <literal>native</literal> architecture
+ list, unless configured
+ otherwise.</para></listitem>
</varlistentry>
</variablelist>
~ianmdlvl / elogind.git / blobdiff