summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-25 16:08:38 +0200
committerLennart Poettering <lennart@poettering.net>2016-11-02 08:55:24 -0600
commit2ca8dc15f9cc050a8845b0a55f8226a7024ca623 (patch)
treee9da20ebdd9956b37228a5c7c79eb58eeabd149d
parent5cd9cd3537d1afca85877103615e61e6c03e7079 (diff)
man: document that too strict system call filters may affect the service manager
If execve() or socket() is filtered the service manager might get into trouble executing the service binary, or handling any failures when this fails. Mention this in the documentation. The other option would be to implicitly whitelist all system calls that are required for these codepaths. However, that appears less than desirable as this would mean socket() and many related calls have to be whitelisted unconditionally. As writing system call filters requires a certain level of expertise anyway it sounds like the better option to simply document these issues and suggest that the user disables system call filters in the service temporarily in order to debug any such failures. See: #3993.
-rw-r--r--man/systemd.exec.xml8
1 files changed, 8 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 7daa3ae78e..3c350df11f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1270,6 +1270,14 @@
filter is reset, all prior assignments will have no effect. This does not affect commands prefixed with
<literal>+</literal>.</para>
+ <para>Note that strict system call filters may impact execution and error handling code paths of the service
+ invocation. Specifically, access to the <function>execve</function> system call is required for the execution
+ of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the
+ service binary fails for some reason (for example: missing service executable), the error handling logic might
+ require access to an additional set of system calls in order to process and log this failure correctly. It
+ might be necessary to temporarily disable system call filters in order to simplify debugging of such
+ failures.</para>
+
<para>If you specify both types of this option (i.e.
whitelisting and blacklisting), the first encountered will
take precedence and will dictate the default action