seccomp: allow turning off of seccomp filtering via env var
Fixes: #17504 (While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description into the right document section) Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
This commit is contained in:
parent
d72ff2df1c
commit
ce8f6d478e
|
@ -83,6 +83,13 @@ All tools:
|
||||||
* `$SYSTEMD_RDRAND=0` — if set, the RDRAND instruction will never be used,
|
* `$SYSTEMD_RDRAND=0` — if set, the RDRAND instruction will never be used,
|
||||||
even if the CPU supports it.
|
even if the CPU supports it.
|
||||||
|
|
||||||
|
* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if
|
||||||
|
support for it is compiled in and available in the kernel.
|
||||||
|
|
||||||
|
* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering,
|
||||||
|
for example in systemd-nspawn, will be logged to the audit log, if the current
|
||||||
|
kernel version supports this.
|
||||||
|
|
||||||
systemctl:
|
systemctl:
|
||||||
|
|
||||||
* `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus
|
* `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus
|
||||||
|
@ -93,10 +100,6 @@ systemctl:
|
||||||
|
|
||||||
* `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks.
|
* `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks.
|
||||||
|
|
||||||
* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering,
|
|
||||||
for example in systemd-nspawn, will be logged to the audit log, if the current
|
|
||||||
kernel version supports this.
|
|
||||||
|
|
||||||
systemd-nspawn:
|
systemd-nspawn:
|
||||||
|
|
||||||
* `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified
|
* `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified
|
||||||
|
|
|
@ -186,7 +186,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
if (!is_seccomp_available()) {
|
if (!is_seccomp_available()) {
|
||||||
log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
|
log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -259,10 +259,20 @@ static bool is_seccomp_filter_available(void) {
|
||||||
bool is_seccomp_available(void) {
|
bool is_seccomp_available(void) {
|
||||||
static int cached_enabled = -1;
|
static int cached_enabled = -1;
|
||||||
|
|
||||||
if (cached_enabled < 0)
|
if (cached_enabled < 0) {
|
||||||
cached_enabled =
|
int b;
|
||||||
is_basic_seccomp_available() &&
|
|
||||||
is_seccomp_filter_available();
|
b = getenv_bool_secure("SYSTEMD_SECCOMP");
|
||||||
|
if (b != 0) {
|
||||||
|
if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
|
||||||
|
log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
|
||||||
|
|
||||||
|
cached_enabled =
|
||||||
|
is_basic_seccomp_available() &&
|
||||||
|
is_seccomp_filter_available();
|
||||||
|
} else
|
||||||
|
cached_enabled = false;
|
||||||
|
}
|
||||||
|
|
||||||
return cached_enabled;
|
return cached_enabled;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue