core: ProtectKernelLogs= mask kmsg in proc and sys

Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set.
2019-11-10 01:17:01 -08:00 · 2019-11-10 01:17:01 -08:00 · 94a7b2759d
parent 07cab0f72b
commit 94a7b2759d
3 changed files with 17 additions and 1 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -1872,6 +1872,7 @@ static bool exec_needs_mount_namespace(
            context->protect_home != PROTECT_HOME_NO ||
            context->protect_kernel_tunables ||
            context->protect_kernel_modules ||
+            context->protect_kernel_logs ||
            context->protect_control_groups)
                return true;

@ -2507,6 +2508,7 @@ static int apply_mount_namespace(
                        .protect_control_groups = context->protect_control_groups,
                        .protect_kernel_tunables = context->protect_kernel_tunables,
                        .protect_kernel_modules = context->protect_kernel_modules,
+                        .protect_kernel_logs = context->protect_kernel_logs,
                        .protect_hostname = context->protect_hostname,
                        .mount_apivfs = context->mount_apivfs,
                        .private_mounts = context->private_mounts,
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -109,6 +109,12 @@ static const MountEntry protect_kernel_modules_table[] = {
        { "/usr/lib/modules",    INACCESSIBLE, true  },
 };

+/* ProtectKernelLogs= option */
+static const MountEntry protect_kernel_logs_table[] = {
+        { "/proc/kmsg",          INACCESSIBLE, true },
+        { "/dev/kmsg",           INACCESSIBLE, true },
+};
+
 /*
 * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
 * system should be protected by ProtectSystem=
@ -1147,8 +1153,9 @@ static size_t namespace_calculate_mounts(
                n_temporary_filesystems +
                ns_info->private_dev +
                (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
-                (ns_info->protect_control_groups ? 1 : 0) +
                (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
+                (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
+                (ns_info->protect_control_groups ? 1 : 0) +
                protect_home_cnt + protect_system_cnt +
                (ns_info->protect_hostname ? 2 : 0) +
                (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
@ -1319,6 +1326,12 @@ int setup_namespace(
                                goto finish;
                }

+                if (ns_info->protect_kernel_logs) {
+                        r = append_static_mounts(&m, protect_kernel_logs_table, ELEMENTSOF(protect_kernel_logs_table), ns_info->ignore_protect_paths);
+                        if (r < 0)
+                                goto finish;
+                }
+
                if (ns_info->protect_control_groups) {
                        *(m++) = (MountEntry) {
                                .path_const = "/sys/fs/cgroup",
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@ -51,6 +51,7 @@ struct NamespaceInfo {
        bool protect_control_groups:1;
        bool protect_kernel_tunables:1;
        bool protect_kernel_modules:1;
+        bool protect_kernel_logs:1;
        bool mount_apivfs:1;
        bool protect_hostname:1;
 };