seccomp and systemd

Daniele Nicolodi daniele at grinta.net
Wed May 17 17:47:06 UTC 2017


Hello,

I saw in the mailing list archives the discussion about the usefulness
of having seccomp system call filter implemented in ntpsec.  Sorry for
not replying to that thread but I was not subscribed to the mailing list.

I just wanted to point out that systemd has the capability to install
seccomp filters for the services it manages:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=

I therefore see the implementation of seccomp in ntpsec as partly
redundant and I think that it would be much simpler to simply provide
systemd service configuration files that enable seccomp. Those would be
much easier for developers and admin to tweak than having to modify
ntpsec source code and recompile to adjust between platforms and library
versions.

Just my two cents.

Cheers,
Daniele


More information about the devel mailing list