core: ProtectKernelLogs= mask kmsg in proc and sys
Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set.
This commit is contained in:
parent
07cab0f72b
commit
94a7b2759d
|
@ -1872,6 +1872,7 @@ static bool exec_needs_mount_namespace(
|
|||
context->protect_home != PROTECT_HOME_NO ||
|
||||
context->protect_kernel_tunables ||
|
||||
context->protect_kernel_modules ||
|
||||
context->protect_kernel_logs ||
|
||||
context->protect_control_groups)
|
||||
return true;
|
||||
|
||||
|
@ -2507,6 +2508,7 @@ static int apply_mount_namespace(
|
|||
.protect_control_groups = context->protect_control_groups,
|
||||
.protect_kernel_tunables = context->protect_kernel_tunables,
|
||||
.protect_kernel_modules = context->protect_kernel_modules,
|
||||
.protect_kernel_logs = context->protect_kernel_logs,
|
||||
.protect_hostname = context->protect_hostname,
|
||||
.mount_apivfs = context->mount_apivfs,
|
||||
.private_mounts = context->private_mounts,
|
||||
|
|
|
@ -109,6 +109,12 @@ static const MountEntry protect_kernel_modules_table[] = {
|
|||
{ "/usr/lib/modules", INACCESSIBLE, true },
|
||||
};
|
||||
|
||||
/* ProtectKernelLogs= option */
|
||||
static const MountEntry protect_kernel_logs_table[] = {
|
||||
{ "/proc/kmsg", INACCESSIBLE, true },
|
||||
{ "/dev/kmsg", INACCESSIBLE, true },
|
||||
};
|
||||
|
||||
/*
|
||||
* ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
|
||||
* system should be protected by ProtectSystem=
|
||||
|
@ -1147,8 +1153,9 @@ static size_t namespace_calculate_mounts(
|
|||
n_temporary_filesystems +
|
||||
ns_info->private_dev +
|
||||
(ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
|
||||
(ns_info->protect_control_groups ? 1 : 0) +
|
||||
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
|
||||
(ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
|
||||
(ns_info->protect_control_groups ? 1 : 0) +
|
||||
protect_home_cnt + protect_system_cnt +
|
||||
(ns_info->protect_hostname ? 2 : 0) +
|
||||
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
|
||||
|
@ -1319,6 +1326,12 @@ int setup_namespace(
|
|||
goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->protect_kernel_logs) {
|
||||
r = append_static_mounts(&m, protect_kernel_logs_table, ELEMENTSOF(protect_kernel_logs_table), ns_info->ignore_protect_paths);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->protect_control_groups) {
|
||||
*(m++) = (MountEntry) {
|
||||
.path_const = "/sys/fs/cgroup",
|
||||
|
|
|
@ -51,6 +51,7 @@ struct NamespaceInfo {
|
|||
bool protect_control_groups:1;
|
||||
bool protect_kernel_tunables:1;
|
||||
bool protect_kernel_modules:1;
|
||||
bool protect_kernel_logs:1;
|
||||
bool mount_apivfs:1;
|
||||
bool protect_hostname:1;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue