Skip to content

Commit

Permalink
Fix service call filter.
Browse files Browse the repository at this point in the history
  • Loading branch information
Christopher Pitstick committed Feb 1, 2024
1 parent 3fab31c commit ccead29
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion instfiles/xrdp.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ EnvironmentFile=-@sysconfdir@/sysconfig/xrdp
EnvironmentFile=-@sysconfdir@/default/xrdp
ExecStart=@sbindir@/xrdp $XRDP_OPTIONS --nodaemon
SystemCallArchitectures=native
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal ioctl madvise sysinfo uname
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process
SystemCallFilter=@signal @system-service ioctl madvise sysinfo uname
SystemCallErrorNumber=EPERM

This comment has been minimized.

Sign in to view

Copy link
@matt335672

matt335672 Feb 6, 2024

Member

I'm not so sure the SystemCallErrorNumber=EPERM is a good idea.

This is above all a security feature, so I think the default operation is correct. Furthermore, if this happens the logging is sufficient to identify the failing system call. See #2697

[Install]
WantedBy=multi-user.target

3 comments on commit ccead29

@Nexarian
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to remove it! The rest of the change is:

  • Add @system-service as it was preventing brk from loading on one of my workstations.
  • Cosmetic. The line was getting to long.

@matt335672
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Nexarian

Regarding @system-service see this comment by @iskunk

I should really have picked up on this sooner. Suggest we leave it as it is for now for v0.10 as we're now feature-frozen on that. We can revisit it when we merge this back into devel.

@Nexarian
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On my workstation, when I tried to simply add the crashing system call brk, it didn't work. I can try to make it more granular with future testing.

Please sign in to comment.