Hello!
In Systemd,
what does this sign mean " ~ "
Does it mean SysCall @clock is excluded from SysCall filtering?
when I set it at:
SystemCallFilter=~@clock
?
Does it mean I filter out the SysCall name "@clock"?
If no?
Then the SystemCallFilter must set to:
SystemCallFilter=@clock
to filter it out right?
SystemCallFilter= Takes a space-separated list of system call names. If this setting is used, all system calls executed by the unit processes except for the listed ones will result in immediate process termination with the SIGSYS signal (whitelisting). If the first character of the list is "~", the effect is inverted: only the listed system calls will result in immediate process termination (blacklisting).
HTH
thanks for the info @ "pavlos_kairis"
I set this for my self-created systemd service file in /lib/systemd/system
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @resources @system-service
If I have understood you correctly,
~
SystemCallFilter=~SysCall-Name1 SysCall-Name2 SysCall-Name3 = Blacklist SysCalls?
SystemCallFilter=SysCall-Name = Whitelist SysCalls?
right?
Pavlos hasn't responded yet, so I'll respond in his place.
To me, the second box appears to be correct:
So in short, yes!