SystemCallFilter setting
This systemd unit setting was added since systemd 187.
Purpose: define what syscalls are allowed or forbidden to be used by a process
Why and when to use SystemCallFilter
The setting SystemCallFilter aims to prevent misuse of syscalls that are not needed for normal functioning of a process. This powerful filtering restricts the abilities of a process, but requires understanding of processes by the system administrator. See the overview of Linux syscalls for more details.
Configuration
This setting takes a space-separated list and may be specified multiple times.
Allow-listing
By default the list contains the entries of allowed system call names. Unspecified syscalls will be denied and result in its process execution being stopped immediately.
Deny-listing
Another approach is to reverse this action by using a ~ as its first character. The principle of deny-listing will then be used. A match then will stop the execution of the process.
Combination
When both (allow-listing and deny-listing) are used, the first match will take precedence and define the default action to take.
Filter sets
Instead of defining each syscall, there are also predefined sets that can be used:
- @aio
- @basic-io
- @chown
- @clock
- @cpu-emulation
- @debug
- @file-system
- @io-event
- @ipc
- @keyring
- @memlock
- @module
- @mount
- @network-io
- @obsolete
- @pkey
- @privileged
- @process
- @raw-io
- @reboot
- @resources
- @sandbox
- @setuid
- @signal
- @swap
- @sync
- @system-service
- @timer
- @known
See systemd syscall filtering for more details, usage, and information about the predefined sets.
To know what syscalls are part of a set:
# systemd-analyze syscall-filter @mount
@mount
# Mounting and unmounting of file systems
chroot
fsconfig
fsmount
fsopen
fspick
mount
mount_setattr
move_mount
open_tree
pivot_root
umount
umount2
Generic advice
This setting is a powerful option to restrict what processes can do.
