03.10.2015 20:47, Peter Ragosch пишет:
Am Sat, 3 Oct 2015 18:55:47 +0300 schrieb Andrei Borzenkov
: raven:~ # cat /proc/self/status | grep -i seccomp Seccomp: 2 raven:~ #
Yes, you have seccomp enabled in mode 2. Unfortunately, I do not know if it is possible to fetch actual seccomp filter in use.
Please read man systemd-system.conf. Check every file and directory mentioned in this page - does it have SystemCallAcritectures set and to which value. If there is none - something enables seccomp and you will find out what. Start with booting with init=/bin/sh. What value Seccomp has now? Boot into run level 1 - what value Seccomp has now?
Under /etc/systemd/ I found two files containing SystemCallArchitectures
/etc/systemd/system.conf: SystemCallArchitectures=x86-64 other entries commented out
/etc/systemd/user.conf: all entries commented out
I found: SystemCallArchitectures= Takes a space-separated list of architecture identifiers. Selects from which architectures system calls may be invoked on this system.
So I guess "x86-64" is not correct in case 32bit code should be executable, too. It should be "x86 x86-64". Right?
Default is nothing (this line is commented out). This means - no seccomp filters at all installed by systemd. So comment it out.
init=/bin/sh Seccomp: 2
Well, it is probably got copied into initrd so every process now inherits filter. You need to also recreate initrd after commenting out SystemCallArchitectures.
init 1 to 5 Seccomp: 2
I think, I got the intention of SECure COMputing. (I'm not a programmer, only a user) But I can't see what is able to set the Seccomp mode, except it depends on the SystemCallArchitectures option. And if so, what has changed the option and why?
That I cannot answer. You can check modification time of this file and try to remember what happened at this point. But unless you had audit enabled unfortunately there is no way to know it for sure.
On the other hand, is it secure to change the SystemCallArchitectures option simply to "x86 x86-64"?
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org