picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

seccomp: add helper call to add all secondary archs to a seccomp filter 

And make use of it where appropriate for executing services and for
nspawn.
This commit is contained in:
Lennart Poettering 2014-02-18 22:14:00 +01:00
parent f3d5485b80
commit e9642be2cc
6 changed files with 89 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Makefile.am
View File

@ -196,7 +196,6 @@ AM_CPPFLAGS = \
-I $(top_srcdir)/src/libsystemd/sd-bus \
-I $(top_srcdir)/src/libsystemd/sd-event \
-I $(top_srcdir)/src/libsystemd/sd-rtnl \
$(SECCOMP_CFLAGS) \
$(OUR_CPPFLAGS)
AM_CFLAGS = $(OUR_CFLAGS)
@ -771,12 +770,6 @@ nodist_libsystemd_shared_la_SOURCES = \
src/shared/errno-from-name.h \
src/shared/errno-to-name.h
if HAVE_SECCOMP
libsystemd_shared_la_SOURCES += \
src/shared/seccomp-util.h \
src/shared/seccomp-util.c
endif
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-units.la
@ -816,6 +809,26 @@ libsystemd_label_la_CFLAGS = \
libsystemd_label_la_LIBADD = \
$(SELINUX_LIBS)
# ------------------------------------------------------------------------------
if HAVE_SECCOMP
noinst_LTLIBRARIES += \
libsystemd-seccomp.la
libsystemd_seccomp_la_SOURCES = \
src/shared/seccomp-util.h \
src/shared/seccomp-util.c
libsystemd_seccomp_la_CFLAGS = \
$(AM_CFLAGS) \
$(SECCOMP_CFLAGS)
libsystemd_seccomp_la_LIBADD = \
$(SECCOMP_LIBS)
endif
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-logs.la
@ -999,6 +1012,7 @@ libsystemd_core_la_CFLAGS = \
$(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
$(CAP_CFLAGS) \
$(KMOD_CFLAGS) \
$(SECCOMP_CFLAGS) \
-pthread
@ -1015,8 +1029,13 @@ libsystemd_core_la_LIBADD = \
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
$(SECCOMP_LIBS) \
$(KMOD_LIBS)
$(KMOD_LIBS) \
$(SECCOMP_LIBS)
if HAVE_SECCOMP
libsystemd_core_la_LIBADD += \
libsystemd-seccomp.la
endif
src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
$(AM_V_at)$(MKDIR_P) $(dir $@)
@ -1846,6 +1865,10 @@ systemd_nspawn_SOURCES = \
src/core/loopback-setup.c \
src/core/loopback-setup.h
systemd_nspawn_CFLAGS = \
$(AM_CFLAGS) \
$(SECCOMP_CFLAGS)
systemd_nspawn_LDADD = \
libsystemd-label.la \
libsystemd-capability.la \
@ -1853,6 +1876,7 @@ systemd_nspawn_LDADD = \
libsystemd-daemon-internal.la \
libudev-internal.la \
libsystemd-shared.la \
libsystemd-seccomp.la \
$(SECCOMP_LIBS)
# ------------------------------------------------------------------------------

22
man/systemd.exec.xml
View File

@ -1050,14 +1050,6 @@
<function>write</function> will be
removed from the set.)
</para></listitem>
<para>Note that setting
<varname>SystemCallFilter=</varname>
implies a
<varname>SystemCallArchitectures=</varname>
setting of <literal>native</literal>
(see below), unless that option is
configured otherwise.</para>
</varlistentry>
<varlistentry>
@ -1099,8 +1091,8 @@
unit. This is an effective way to
disable compatibility with non-native
architectures for processes, for
example to prohibit execution of 32-bit
x86 binaries on 64-bit x86-64
example to prohibit execution of
32-bit x86 binaries on 64-bit x86-64
systems. The special
<literal>native</literal> identifier
implicitly maps to the native
@ -1112,14 +1104,8 @@
<literal>native</literal> is included
too. By default, this option is set to
the empty list, i.e. no architecture
system call filtering is applied. Note
that configuring a system call filter
with
<varname>SystemCallFilter=</varname>
(above) implies a
<literal>native</literal> architecture
list, unless configured
otherwise.</para></listitem>
system call filtering is
applied.</para></listitem>
</varlistentry>
</variablelist>

18
src/core/execute.c
View File

@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) {
if (!seccomp)
return -ENOMEM;
SET_FOREACH(id, c->syscall_archs, i) {
r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST)
continue;
if (c->syscall_archs) {
SET_FOREACH(id, c->syscall_archs, i) {
r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST)
continue;
if (r < 0) {
seccomp_release(seccomp);
return r;
}
}
} else {
r = seccomp_add_secondary_archs(seccomp);
if (r < 0) {
seccomp_release(seccomp);
return r;

18
src/nspawn/nspawn.c
View File

@ -79,6 +79,10 @@
#include "rtnl-util.h"
#include "udev-util.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
#endif
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
if (!seccomp)
return log_oom();
r = seccomp_add_secondary_archs(seccomp);
if (r < 0 && r != -EEXIST) {
log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
goto finish;
}
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
#ifdef __x86_64__
r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
if (r < 0 && r != -EEXIST) {
log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
goto finish;
}
#endif
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r));

26
src/shared/seccomp-util.c
View File

@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
return 0;
}
int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
#if defined(__i386__) || defined(__x86_64__)
int r;
/* Add in all possible secondary archs we are aware of that
* this kernel might support. */
r = seccomp_arch_add(c, SCMP_ARCH_X86);
if (r < 0 && r != -EEXIST)
return r;
r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
if (r < 0 && r != -EEXIST)
return r;
r = seccomp_arch_add(c, SCMP_ARCH_X32);
if (r < 0 && r != -EEXIST)
return r;
#endif
return 0;
}

2
src/shared/seccomp-util.h
View File

@ -24,3 +24,5 @@
const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);
int seccomp_add_secondary_archs(scmp_filter_ctx *c);