diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-10-25 16:08:38 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-11-02 08:55:24 -0600 |
| commit | 2ca8dc15f9cc050a8845b0a55f8226a7024ca623 (patch) | |
| tree | e9da20ebdd9956b37228a5c7c79eb58eeabd149d | |
| parent | 5cd9cd3537d1afca85877103615e61e6c03e7079 (diff) | |
man: document that too strict system call filters may affect the service manager
If execve() or socket() is filtered the service manager might get into trouble
executing the service binary, or handling any failures when this fails. Mention
this in the documentation.
The other option would be to implicitly whitelist all system calls that are
required for these codepaths. However, that appears less than desirable as this
would mean socket() and many related calls have to be whitelisted
unconditionally. As writing system call filters requires a certain level of
expertise anyway it sounds like the better option to simply document these
issues and suggest that the user disables system call filters in the service
temporarily in order to debug any such failures.
See: #3993.
| -rw-r--r-- | man/systemd.exec.xml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 7daa3ae78e..3c350df11f 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1270,6 +1270,14 @@ filter is reset, all prior assignments will have no effect. This does not affect commands prefixed with <literal>+</literal>.</para> + <para>Note that strict system call filters may impact execution and error handling code paths of the service + invocation. Specifically, access to the <function>execve</function> system call is required for the execution + of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the + service binary fails for some reason (for example: missing service executable), the error handling logic might + require access to an additional set of system calls in order to process and log this failure correctly. It + might be necessary to temporarily disable system call filters in order to simplify debugging of such + failures.</para> + <para>If you specify both types of this option (i.e. whitelisting and blacklisting), the first encountered will take precedence and will dictate the default action |