diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-02-05 13:52:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-05 13:52:23 +0100 |
| commit | cb51f86af8c243d626a54ca7aefc388db741452a (patch) | |
| tree | 0809d001b566486665341455f357d4c276133de9 /man | |
| parent | da4ec1411e29b8f932286e2b41fa9d710dba48f8 (diff) | |
| parent | 2428aaf8a24e8792506de5653a373ddfcee6d722 (diff) | |
| download | systemd-cb51f86af8c243d626a54ca7aefc388db741452a.tar.gz | |
Merge pull request #8077 from sourcejedi/seccomp_cosmetic
seccomp: allow x86-64 syscalls on x32, used by the VDSO (fix #8060)
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index fc3b9ffd16..f01599f656 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1429,17 +1429,19 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> filter. The known architecture identifiers are the same as for <varname>ConditionArchitecture=</varname> described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, as well as <constant>x32</constant>, <constant>mips64-n32</constant>, <constant>mips64-le-n32</constant>, and - the special identifier <constant>native</constant>. If this setting is used, processes of this unit will only - be permitted to call native system calls, and system calls of the specified architectures. This is an - effective way to disable compatibility with non-native architectures for processes, for example to prohibit - execution of 32-bit x86 binaries on 64-bit x86-64 systems. The special <constant>native</constant> identifier + the special identifier <constant>native</constant>. The special identifier <constant>native</constant> implicitly maps to the native architecture of the system (or more precisely: to the architecture the system manager is compiled for). If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, this option is set to the empty list, i.e. no system call architecture filtering is applied.</para> - <para>Note that system call filtering is not equally effective on all architectures. For example, on x86 + <para>If this setting is used, processes of this unit will only be permitted to call native system calls, and + system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated + as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on + x32.</para> + + <para>System call filtering is not equally effective on all architectures. For example, on x86 filtering of network socket-related calls is not possible, due to ABI limitations — a limitation that x86-64 does not have, however. On systems supporting multiple ABIs at the same time — such as x86/x86-64 — it is hence recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to |