picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #6999 from poettering/seccomp-newgroups 

add three new syscall groups, and port @privileged to make use of more existing ones
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-10-05 22:06:39 +02:00 committed by GitHub
parent acc7b23256 af0f047ba8
commit 082827e6c6
5 changed files with 59 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -118,8 +118,8 @@ CHANGES WITH 235:
each time the service is restarted due to Restart=, and may be each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …". queried using "systemctl show -p NRestarts …".
* New system call filter groups @setuid, @memlock, @signal and * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
@timer have been added, for usage with SystemCallFilter= @signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above). of systemd-nspawn (see above).

12
man/systemd.exec.xml
View File

@ -1490,10 +1490,18 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row>
<entry>@aio</entry>
<entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row>
<row> <row>
<entry>@basic-io</entry> <entry>@basic-io</entry>
<entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row> </row>
<row>
<entry>@chown</entry>
<entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row>
<row> <row>
<entry>@clock</entry> <entry>@clock</entry>
<entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
@ -1574,6 +1582,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<entry>@swap</entry> <entry>@swap</entry>
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
</row> </row>
<row>
<entry>@sync</entry>
<entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row>
<row> <row>
<entry>@timer</entry> <entry>@timer</entry>
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>

23
src/nspawn/nspawn-seccomp.c
View File

@ -49,7 +49,9 @@ static int seccomp_add_default_syscall_filter(
const char* name; const char* name;
} whitelist[] = { } whitelist[] = {
/* Let's use set names where we can */ /* Let's use set names where we can */
{ 0, "@aio" },
{ 0, "@basic-io" }, { 0, "@basic-io" },
{ 0, "@chown" },
{ 0, "@default" }, { 0, "@default" },
{ 0, "@file-system" }, { 0, "@file-system" },
{ 0, "@io-event" }, { 0, "@io-event" },
@ -60,6 +62,7 @@ static int seccomp_add_default_syscall_filter(
{ 0, "@resources" }, { 0, "@resources" },
{ 0, "@setuid" }, { 0, "@setuid" },
{ 0, "@signal" }, { 0, "@signal" },
{ 0, "@sync" },
{ 0, "@timer" }, { 0, "@timer" },
/* The following four are sets we optionally enable, in case the caps have been configured for it */ /* The following four are sets we optionally enable, in case the caps have been configured for it */
@ -72,42 +75,25 @@ static int seccomp_add_default_syscall_filter(
{ 0, "brk" }, { 0, "brk" },
{ 0, "capget" }, { 0, "capget" },
{ 0, "capset" }, { 0, "capset" },
{ 0, "chown" },
{ 0, "chown32" },
{ 0, "copy_file_range" }, { 0, "copy_file_range" },
{ 0, "fadvise64" }, { 0, "fadvise64" },
{ 0, "fadvise64_64" }, { 0, "fadvise64_64" },
{ 0, "fchown" },
{ 0, "fchown32" },
{ 0, "fchownat" },
{ 0, "fdatasync" },
{ 0, "flock" }, { 0, "flock" },
{ 0, "fsync" },
{ 0, "get_mempolicy" }, { 0, "get_mempolicy" },
{ 0, "getcpu" }, { 0, "getcpu" },
{ 0, "getpriority" }, { 0, "getpriority" },
{ 0, "getrandom" }, { 0, "getrandom" },
{ 0, "io_cancel" },
{ 0, "io_destroy" },
{ 0, "io_getevents" },
{ 0, "io_setup" },
{ 0, "io_submit" },
{ 0, "ioctl" }, { 0, "ioctl" },
{ 0, "ioprio_get" }, { 0, "ioprio_get" },
{ 0, "kcmp" }, { 0, "kcmp" },
{ 0, "lchown" },
{ 0, "lchown32" },
{ 0, "madvise" }, { 0, "madvise" },
{ 0, "mincore" }, { 0, "mincore" },
{ 0, "mprotect" }, { 0, "mprotect" },
{ 0, "mremap" }, { 0, "mremap" },
{ 0, "msync" },
{ 0, "name_to_handle_at" }, { 0, "name_to_handle_at" },
{ 0, "oldolduname" }, { 0, "oldolduname" },
{ 0, "olduname" }, { 0, "olduname" },
{ 0, "personality" }, { 0, "personality" },
{ 0, "preadv2" },
{ 0, "pwritev2" },
{ 0, "readahead" }, { 0, "readahead" },
{ 0, "readdir" }, { 0, "readdir" },
{ 0, "remap_file_pages" }, { 0, "remap_file_pages" },
@ -131,9 +117,6 @@ static int seccomp_add_default_syscall_filter(
{ 0, "setpgid" }, { 0, "setpgid" },
{ 0, "setsid" }, { 0, "setsid" },
{ 0, "splice" }, { 0, "splice" },
{ 0, "sync" },
{ 0, "sync_file_range" },
{ 0, "syncfs" },
{ 0, "sysinfo" }, { 0, "sysinfo" },
{ 0, "tee" }, { 0, "tee" },
{ 0, "umask" }, { 0, "umask" },

52
src/shared/seccomp-util.c
View File

@ -317,6 +317,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"time\0" "time\0"
"ugetrlimit\0" "ugetrlimit\0"
}, },
[SYSCALL_FILTER_SET_AIO] = {
.name = "@aio",
.help = "Asynchronous IO",
.value =
"io_cancel\0"
"io_destroy\0"
"io_getevents\0"
"io_setup\0"
"io_submit\0"
},
[SYSCALL_FILTER_SET_BASIC_IO] = { [SYSCALL_FILTER_SET_BASIC_IO] = {
.name = "@basic-io", .name = "@basic-io",
.help = "Basic IO", .help = "Basic IO",
@ -329,13 +339,27 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"lseek\0" "lseek\0"
"pread64\0" "pread64\0"
"preadv\0" "preadv\0"
"preadv2\0"
"pwrite64\0" "pwrite64\0"
"pwritev\0" "pwritev\0"
"pwritev2\0"
"read\0" "read\0"
"readv\0" "readv\0"
"write\0" "write\0"
"writev\0" "writev\0"
}, },
[SYSCALL_FILTER_SET_CHOWN] = {
.name = "@chown",
.help = "Change ownership of files and directories",
.value =
"chown\0"
"chown32\0"
"fchown\0"
"fchown32\0"
"fchownat\0"
"lchown\0"
"lchown32\0"
},
[SYSCALL_FILTER_SET_CLOCK] = { [SYSCALL_FILTER_SET_CLOCK] = {
.name = "@clock", .name = "@clock",
.help = "Change the system time", .help = "Change the system time",
@ -600,27 +624,20 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@privileged", .name = "@privileged",
.help = "All system calls which need super-user capabilities", .help = "All system calls which need super-user capabilities",
.value = .value =
"@chown\0"
"@clock\0" "@clock\0"
"@module\0" "@module\0"
"@raw-io\0" "@raw-io\0"
"@reboot\0"
"@swap\0"
"_sysctl\0" "_sysctl\0"
"acct\0" "acct\0"
"bpf\0" "bpf\0"
"capset\0" "capset\0"
"chown\0"
"chown32\0"
"chroot\0" "chroot\0"
"fchown\0"
"fchown32\0"
"fchownat\0"
"kexec_file_load\0"
"kexec_load\0"
"lchown\0"
"lchown32\0"
"nfsservctl\0" "nfsservctl\0"
"pivot_root\0" "pivot_root\0"
"quotactl\0" "quotactl\0"
"reboot\0"
"setdomainname\0" "setdomainname\0"
"setfsuid\0" "setfsuid\0"
"setfsuid32\0" "setfsuid32\0"
@ -633,8 +650,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"setreuid32\0" "setreuid32\0"
"setuid\0" "setuid\0"
"setuid32\0" "setuid32\0"
"swapoff\0"
"swapon\0"
"vhangup\0" "vhangup\0"
}, },
[SYSCALL_FILTER_SET_PROCESS] = { [SYSCALL_FILTER_SET_PROCESS] = {
@ -681,8 +696,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@reboot", .name = "@reboot",
.help = "Reboot and reboot preparation/kexec", .help = "Reboot and reboot preparation/kexec",
.value = .value =
"kexec\0"
"kexec_file_load\0" "kexec_file_load\0"
"kexec_load\0"
"reboot\0" "reboot\0"
}, },
[SYSCALL_FILTER_SET_RESOURCES] = { [SYSCALL_FILTER_SET_RESOURCES] = {
@ -746,6 +761,17 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"swapoff\0" "swapoff\0"
"swapon\0" "swapon\0"
}, },
[SYSCALL_FILTER_SET_SYNC] = {
.name = "@sync",
.help = "Synchronize files and memory to storage",
.value =
"fdatasync\0"
"fsync\0"
"msync\0"
"sync\0"
"sync_file_range\0"
"syncfs\0"
},
[SYSCALL_FILTER_SET_TIMER] = { [SYSCALL_FILTER_SET_TIMER] = {
.name = "@timer", .name = "@timer",
.help = "Schedule operations by time", .help = "Schedule operations by time",

3
src/shared/seccomp-util.h
View File

@ -41,7 +41,9 @@ typedef struct SyscallFilterSet {
enum { enum {
/* Please leave DEFAULT first, but sort the rest alphabetically */ /* Please leave DEFAULT first, but sort the rest alphabetically */
SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_DEFAULT,
SYSCALL_FILTER_SET_AIO,
SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_BASIC_IO,
SYSCALL_FILTER_SET_CHOWN,
SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_CPU_EMULATION,
SYSCALL_FILTER_SET_DEBUG, SYSCALL_FILTER_SET_DEBUG,
@ -62,6 +64,7 @@ enum {
SYSCALL_FILTER_SET_SETUID, SYSCALL_FILTER_SET_SETUID,
SYSCALL_FILTER_SET_SIGNAL, SYSCALL_FILTER_SET_SIGNAL,
SYSCALL_FILTER_SET_SWAP, SYSCALL_FILTER_SET_SWAP,
SYSCALL_FILTER_SET_SYNC,
SYSCALL_FILTER_SET_TIMER, SYSCALL_FILTER_SET_TIMER,
_SYSCALL_FILTER_SET_MAX _SYSCALL_FILTER_SET_MAX
}; };