core: add SystemCallArchitectures= unit setting to allow disabling of non-native

architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2026-03-06 15:02:31 -08:00 · 2014-02-13 00:24:00 +01:00
parent 351a19b17d
commit 57183d117a
11 changed files with 348 additions and 18 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1050,6 +1050,14 @@
                                <function>write</function> will be
                                removed from the set).
                                </para></listitem>
+
+                                <para>Note that setting
+                                <varname>SystemCallFilter=</varname>
+                                implies a
+                                <varname>SystemCallArchitectures=</varname>
+                                setting of <literal>native</literal>
+                                (see below), unless that option is
+                                configured otherwise.</para>
                        </varlistentry>

                        <varlistentry>
@@ -1072,6 +1080,48 @@
                                is triggered.</para></listitem>
                        </varlistentry>

+                        <varlistentry>
+                                <term><varname>SystemCallArchitectures=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of architecture
+                                identifiers to include in the system
+                                call filter. The known architecture
+                                identifiers are
+                                <literal>x86</literal>,
+                                <literal>x86-64</literal>,
+                                <literal>x32</literal>,
+                                <literal>arm</literal> as well as the
+                                special identifier
+                                <literal>native</literal>. Only system
+                                calls of the specified architectures
+                                will be permitted to processes of this
+                                unit. This is an effective way to
+                                disable compatibility with non-native
+                                architectures for processes, for
+                                example to prohibit execution of 32bit
+                                x86 binaries on 64bit x86-64
+                                systems. The special
+                                <literal>native</literal> identifier
+                                implicitly maps to the native
+                                architecture of the system (or more
+                                strictly: to the architecture the
+                                system manager is compiled for). Note
+                                that setting this option to a
+                                non-empty list implies that
+                                <literal>native</literal> is included
+                                too. By default this option is set to
+                                the empty list, i.e. no architecture
+                                system call filtering is applied. Note
+                                that configuring a system call filter
+                                with
+                                <varname>SystemCallFilter=</varname>
+                                (above) implies a
+                                <literal>native</literal> architecture
+                                list, unless configured
+                                otherwise.</para></listitem>
+                        </varlistentry>
+
                </variablelist>
        </refsect1>