core: Add ProtectKernelLogs
If seccomp is enabled, load the SYSCALL_FILTER_SET_SYSLOG into the seccomp filter set. Drop the CAP_SYSLOG capability.
This commit is contained in:
parent
620dbdd248
commit
8470304018
|
@ -783,6 +783,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
|
|||
SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProtectKernelTunables", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_tunables), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProtectKernelModules", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_modules), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProtectKernelLogs", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_logs), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProtectControlGroups", "b", bus_property_get_bool, offsetof(ExecContext, protect_control_groups), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("PrivateUsers", "b", bus_property_get_bool, offsetof(ExecContext, private_users), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
|
@ -1274,6 +1275,9 @@ int bus_exec_context_set_transient_property(
|
|||
if (streq(name, "ProtectKernelModules"))
|
||||
return bus_set_transient_bool(u, name, &c->protect_kernel_modules, message, flags, error);
|
||||
|
||||
if (streq(name, "ProtectKernelLogs"))
|
||||
return bus_set_transient_bool(u, name, &c->protect_kernel_logs, message, flags, error);
|
||||
|
||||
if (streq(name, "ProtectControlGroups"))
|
||||
return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error);
|
||||
|
||||
|
|
|
@ -1396,6 +1396,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
|
|||
exec_context_restrict_namespaces_set(c) ||
|
||||
c->protect_kernel_tunables ||
|
||||
c->protect_kernel_modules ||
|
||||
c->protect_kernel_logs ||
|
||||
c->private_devices ||
|
||||
context_has_syscall_filters(c) ||
|
||||
!set_isempty(c->syscall_archs) ||
|
||||
|
@ -1542,6 +1543,19 @@ static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
|
|||
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
|
||||
}
|
||||
|
||||
static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
|
||||
assert(u);
|
||||
assert(c);
|
||||
|
||||
if (!c->protect_kernel_logs)
|
||||
return 0;
|
||||
|
||||
if (skip_seccomp_unavailable(u, "ProtectKernelLogs="))
|
||||
return 0;
|
||||
|
||||
return seccomp_protect_syslog();
|
||||
}
|
||||
|
||||
static int apply_private_devices(const Unit *u, const ExecContext *c) {
|
||||
assert(u);
|
||||
assert(c);
|
||||
|
@ -3679,6 +3693,12 @@ static int exec_child(
|
|||
return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
|
||||
}
|
||||
|
||||
r = apply_protect_kernel_logs(unit, context);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_SECCOMP;
|
||||
return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m");
|
||||
}
|
||||
|
||||
r = apply_private_devices(unit, context);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_SECCOMP;
|
||||
|
@ -4318,6 +4338,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
|
|||
"%sPrivateDevices: %s\n"
|
||||
"%sProtectKernelTunables: %s\n"
|
||||
"%sProtectKernelModules: %s\n"
|
||||
"%sProtectKernelLogs: %s\n"
|
||||
"%sProtectControlGroups: %s\n"
|
||||
"%sPrivateNetwork: %s\n"
|
||||
"%sPrivateUsers: %s\n"
|
||||
|
@ -4338,6 +4359,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
|
|||
prefix, yes_no(c->private_devices),
|
||||
prefix, yes_no(c->protect_kernel_tunables),
|
||||
prefix, yes_no(c->protect_kernel_modules),
|
||||
prefix, yes_no(c->protect_kernel_logs),
|
||||
prefix, yes_no(c->protect_control_groups),
|
||||
prefix, yes_no(c->private_network),
|
||||
prefix, yes_no(c->private_users),
|
||||
|
|
|
@ -257,6 +257,7 @@ struct ExecContext {
|
|||
bool private_mounts;
|
||||
bool protect_kernel_tunables;
|
||||
bool protect_kernel_modules;
|
||||
bool protect_kernel_logs;
|
||||
bool protect_control_groups;
|
||||
ProtectSystem protect_system;
|
||||
ProtectHome protect_home;
|
||||
|
|
|
@ -115,6 +115,7 @@ $1.PrivateTmp, config_parse_bool, 0,
|
|||
$1.PrivateDevices, config_parse_bool, 0, offsetof($1, exec_context.private_devices)
|
||||
$1.ProtectKernelTunables, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_tunables)
|
||||
$1.ProtectKernelModules, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_modules)
|
||||
$1.ProtectKernelLogs, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_logs)
|
||||
$1.ProtectControlGroups, config_parse_bool, 0, offsetof($1, exec_context.protect_control_groups)
|
||||
$1.NetworkNamespacePath, config_parse_unit_path_printf, 0, offsetof($1, exec_context.network_namespace_path)
|
||||
$1.PrivateNetwork, config_parse_bool, 0, offsetof($1, exec_context.private_network)
|
||||
|
|
|
@ -4269,6 +4269,9 @@ int unit_patch_contexts(Unit *u) {
|
|||
if (ec->protect_kernel_modules)
|
||||
ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);
|
||||
|
||||
if (ec->protect_kernel_logs)
|
||||
ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG);
|
||||
|
||||
if (ec->dynamic_user) {
|
||||
if (!ec->user) {
|
||||
r = user_from_unit_name(u, &ec->user);
|
||||
|
|
Loading…
Reference in a new issue