diff options
| author | Ronny Chevalier <chevalier.ronny@gmail.com> | 2014-02-12 01:29:54 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-12 18:30:36 +0100 |
| commit | c0467cf387548dc98c0254f63553d862b35a84e5 (patch) | |
| tree | 6ea69e522b79a81e5d7f1685ddbe50675ec0137c /man/systemd.exec.xml | |
| parent | c6f7b693fedfd822febc219868fc810c32d458c5 (diff) | |
syscallfilter: port to libseccomp
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f4caccdd23..0c6ca5acfb 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1029,7 +1029,23 @@ merged. If the empty string is assigned, the filter is reset, all prior assignments will have no - effect.</para></listitem> + effect.</para> + + <para>If you specify both types of this option + (i.e. whitelisting and blacklisting) the first + encountered will take precedence and will + dictate the default action (termination + or approval of a system call). Then the + next occurrences of this option will add or + delete the listed system calls from the set + of the filtered system calls, depending of + its type and the default action (e.g. You + have started with a whitelisting of <function> + read</function> and <function>write</function> + and right after it add a blacklisting of + <function>write</function>, then <function> + write</function> will be removed from the set) + </para></listitem> </varlistentry> </variablelist> |