如何使用 systemd-nspawn 创建限制性系统调用白名单？

Question

首先确保启用了 seccomp .. 根据 systemd-exec ，始终允许某些调用.. 允许执行、写入、打开、读取和许多其他调用.. SystemCallFilter= 有效，让您的生活轻松添加SystemCallLog=~chown或任何未知使用的系统调用和所有使用的系统调用都将被记录。在journalctl _AUDIT_TYPE_NAME=SECCOMP..中搜索它们

您的答案详细信息可以在这里找到。

--system-call-filter=

    Alter the system call filter applied to containers. Takes a space-separated list of system call names or group names (the latter prefixed with "@", as listed by the syscall-filter command of systemd-analyze(1)). Passed system calls will be permitted. The list may optionally be prefixed by "~", in which case all listed system calls are prohibited. If this command line option is used multiple times the configured lists are combined. If both a positive and a negative list (that is one system call list without and one with the "~" prefix) are configured, the negative list takes precedence over the positive list. Note that systemd-nspawn always implements a system call allow list (as opposed to a deny list!), and this command line option hence adds or removes entries from the default allow list, depending on the "~" prefix. Note that the applied system call filter is also altered implicitly if additional capabilities are passed using the --capabilities=.`enter code here

https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html

Answer 1

首先确保启用了 seccomp .. 根据 systemd-exec ，始终允许某些调用.. 允许执行、写入、打开、读取和许多其他调用.. SystemCallFilter= 有效，让您的生活轻松添加SystemCallLog=~chown或任何未知使用的系统调用和所有使用的系统调用都将被记录。在journalctl _AUDIT_TYPE_NAME=SECCOMP..中搜索它们

您的答案详细信息可以在这里找到。

--system-call-filter=

    Alter the system call filter applied to containers. Takes a space-separated list of system call names or group names (the latter prefixed with "@", as listed by the syscall-filter command of systemd-analyze(1)). Passed system calls will be permitted. The list may optionally be prefixed by "~", in which case all listed system calls are prohibited. If this command line option is used multiple times the configured lists are combined. If both a positive and a negative list (that is one system call list without and one with the "~" prefix) are configured, the negative list takes precedence over the positive list. Note that systemd-nspawn always implements a system call allow list (as opposed to a deny list!), and this command line option hence adds or removes entries from the default allow list, depending on the "~" prefix. Note that the applied system call filter is also altered implicitly if additional capabilities are passed using the --capabilities=.`enter code here

https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html

如何使用 systemd-nspawn 创建限制性系统调用白名单？

答案1

相关内容