nspawn: Add --syscall-filter option

[robertgzr]

Adds a --syscall-filter option to set custom system call filters.
After the comments in #5944 this now works similar to the SystemCallFilter=
option in unit files.

This option takes a comma-separated list of system calls to allow.
If the first character of the list is "~", the listed system calls
will be blocked instead. Filter sets beginning with '@' are also
supported. This overwrites nspawn default blacklist and the --[drop-]capability
options

Fixes #5163

[poettering]

Oh, ha, what a coincidence... Because development of the seccomp nspawn stuff stalled I started working on the same thing, and independently pushed a PR exactly 2min after you in #6798.

[poettering]

Hmm, how do we proceed with this? PR #6798 has a couple of other fixes, so I am tempted to use that. it also does adds support for this in .nspawn files. Do you miss anything in #6798 or would that work for you?

[robertgzr]

wow^^ I see... I think it would also work. Something I like is having the the default blacklist also just be a FilterSet that can be used like the others. But it doesn't really matter...

The default blacklist should also be documented somewhere to make finding bugs like kinvolk/kube-spawn#21 easier

[poettering]

wow^^ I see... I think it would also work. Something I like is having the the default blacklist also just be a FilterSet that can be used like the others. But it doesn't really matter...

So i thought about going that way, but ultimately decided not to go down this path as we the FilterSet structure doesn't have a caps field which we need here (and I am not sure we should add it globally), morever it has the description field and stuff and carries a name, both of which we don't really need here, since we don't want to expose this grouping here externally...

[poettering]

The default blacklist should also be documented somewhere to make finding bugs like kinvolk/kube-spawn#21 easier

yes, we should. But i am think this should be done in a later PR, in particular as I intend to do a later commit that inverts the blacklist to become a whitelist (like docker is doing it), and then document the new logic in that PR.

[poettering]

As I understand you you are fine with continuing with #6798 instead of this one? I'll close this one then.

Sorry again for clashing with your work on that, i assumed you guys had lost interest, and I hacked this up mostly in order to be able to test the bpf stuff #6764 in a container without going crazy...