Submission type

• Bug report
• Request for enhancement (RFE)

NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!

systemd version the issue has been seen with

every version

NOTE: Do not submit bug reports about anything but the two most recently released systemd versions upstream!

Used distribution

Fedora

systemd-nspawn has a defined list of syscalls which are blocked by seccomp:

https://github.com/systemd/systemd/blob/8d3eafa161af22bb04dc0210885ffe79560a59ee/src/nspawn/nspawn-seccomp.c

However, sometimes users would like to whitelist some of them. The good example is keyctl. This syscall is needed i.e. when you want to execute runc inside systemd-nspawn container, because runc is using it. This could be useful i.e. for "nested containerization" (running Docker/runc inside nspawn).

What I would like to propose is to have a CLI arg like --whitelist-seccomp-syscalls in which user could provide syscalls which he/she would like to use and not include in the seccomp filter.