seccomp: don't install filters for archs that can't use syscalls

When seccomp_restrict_archs is called, architectures that are blocked are replaced by the SECCOMP_LOCAL_ARCH_BLOCKED marker so that they are not disabled again and filters are not installed for them. This can make some service that use SystemCallArchitecture= and SystemCallFilter= start faster.
author: Greg Depoire--Ferrer <greg.depoire@gmail.com> 2020-10-29 00:51:30 +0100
committer: Lennart Poettering <lennart@poettering.net> 2020-12-10 16:13:02 +0100
commit: 6597686865ffcba7450b44814618b94321cfa3cf (patch)
tree: facc7785d20b1f8ce5fb8ddc0d9ef479d042f1e0 /TODO
parent: 104fc4be11e4429edcb81d39c2299433b71c54f6 (diff)
download: systemd-6597686865ffcba7450b44814618b94321cfa3cf.tar.gz
1 files changed, 0 insertions, 4 deletions
diff --git a/TODO b/TODO
index 4affa324dc..c4f000e20f 100644
--- a/TODO
+++ b/TODO
@@ -135,10 +135,6 @@ Features:
   o move into separate libsystemd-shared-iptables.so .so
     - iptables-libs (only used by nspawn + networkd)
 
-* seccomp: when SystemCallArchitectures=native is set then don't install any
-  other seccomp filters for any of the other archs, in order to reduce the
-  number of seccomp filters we install needlessly.
-
 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
   Apparently kernel performance is much better with fewer larger seccomp
   filters than with more smaller seccomp filters.
author	Greg Depoire--Ferrer <greg.depoire@gmail.com>	2020-10-29 00:51:30 +0100
committer	Lennart Poettering <lennart@poettering.net>	2020-12-10 16:13:02 +0100
commit	6597686865ffcba7450b44814618b94321cfa3cf (patch)
tree	facc7785d20b1f8ce5fb8ddc0d9ef479d042f1e0 /TODO
parent	104fc4be11e4429edcb81d39c2299433b71c54f6 (diff)
download	systemd-6597686865ffcba7450b44814618b94321cfa3cf.tar.gz