picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

seccomp: add helper call to add all secondary archs to a seccomp filter

Browse source 
And make use of it where appropriate for executing services and for
nspawn.
This commit is contained in:
Lennart Poettering 2014-02-18 22:14:00 +01:00
parent f3d5485b80
commit e9642be2cc
6 changed files with 89 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
Makefile.am
View file

@ -196,7 +196,6 @@ AM_CPPFLAGS = \
-I $(top_srcdir)/src/libsystemd/sd-bus \ -I $(top_srcdir)/src/libsystemd/sd-bus \
-I $(top_srcdir)/src/libsystemd/sd-event \ -I $(top_srcdir)/src/libsystemd/sd-event \
-I $(top_srcdir)/src/libsystemd/sd-rtnl \ -I $(top_srcdir)/src/libsystemd/sd-rtnl \
$(SECCOMP_CFLAGS) \
$(OUR_CPPFLAGS) $(OUR_CPPFLAGS)
AM_CFLAGS = $(OUR_CFLAGS) AM_CFLAGS = $(OUR_CFLAGS)
@ -771,12 +770,6 @@ nodist_libsystemd_shared_la_SOURCES = \
src/shared/errno-from-name.h \ src/shared/errno-from-name.h \
src/shared/errno-to-name.h src/shared/errno-to-name.h
if HAVE_SECCOMP
libsystemd_shared_la_SOURCES += \
src/shared/seccomp-util.h \
src/shared/seccomp-util.c
endif
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \ noinst_LTLIBRARIES += \
libsystemd-units.la libsystemd-units.la
@ -816,6 +809,26 @@ libsystemd_label_la_CFLAGS = \
libsystemd_label_la_LIBADD = \ libsystemd_label_la_LIBADD = \
$(SELINUX_LIBS) $(SELINUX_LIBS)
# ------------------------------------------------------------------------------
if HAVE_SECCOMP
noinst_LTLIBRARIES += \
libsystemd-seccomp.la
libsystemd_seccomp_la_SOURCES = \
src/shared/seccomp-util.h \
src/shared/seccomp-util.c
libsystemd_seccomp_la_CFLAGS = \
$(AM_CFLAGS) \
$(SECCOMP_CFLAGS)
libsystemd_seccomp_la_LIBADD = \
$(SECCOMP_LIBS)
endif
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \ noinst_LTLIBRARIES += \
libsystemd-logs.la libsystemd-logs.la
@ -999,6 +1012,7 @@ libsystemd_core_la_CFLAGS = \
$(LIBWRAP_CFLAGS) \ $(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \ $(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \ $(AUDIT_CFLAGS) \
$(CAP_CFLAGS) \
$(KMOD_CFLAGS) \ $(KMOD_CFLAGS) \
$(SECCOMP_CFLAGS) \ $(SECCOMP_CFLAGS) \
-pthread -pthread
@ -1015,8 +1029,13 @@ libsystemd_core_la_LIBADD = \
$(PAM_LIBS) \ $(PAM_LIBS) \
$(AUDIT_LIBS) \ $(AUDIT_LIBS) \
$(CAP_LIBS) \ $(CAP_LIBS) \
$(SECCOMP_LIBS) \ $(KMOD_LIBS) \
$(KMOD_LIBS) $(SECCOMP_LIBS)
if HAVE_SECCOMP
libsystemd_core_la_LIBADD += \
libsystemd-seccomp.la
endif
src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
$(AM_V_at)$(MKDIR_P) $(dir $@) $(AM_V_at)$(MKDIR_P) $(dir $@)
@ -1846,6 +1865,10 @@ systemd_nspawn_SOURCES = \
src/core/loopback-setup.c \ src/core/loopback-setup.c \
src/core/loopback-setup.h src/core/loopback-setup.h
systemd_nspawn_CFLAGS = \
$(AM_CFLAGS) \
$(SECCOMP_CFLAGS)
systemd_nspawn_LDADD = \ systemd_nspawn_LDADD = \
libsystemd-label.la \ libsystemd-label.la \
libsystemd-capability.la \ libsystemd-capability.la \
@ -1853,6 +1876,7 @@ systemd_nspawn_LDADD = \
libsystemd-daemon-internal.la \ libsystemd-daemon-internal.la \
libudev-internal.la \ libudev-internal.la \
libsystemd-shared.la \ libsystemd-shared.la \
libsystemd-seccomp.la \
$(SECCOMP_LIBS) $(SECCOMP_LIBS)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------

22
man/systemd.exec.xml
View file

@ -1050,14 +1050,6 @@
<function>write</function> will be <function>write</function> will be
removed from the set.) removed from the set.)
</para></listitem> </para></listitem>
<para>Note that setting
<varname>SystemCallFilter=</varname>
implies a
<varname>SystemCallArchitectures=</varname>
setting of <literal>native</literal>
(see below), unless that option is
configured otherwise.</para>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -1099,8 +1091,8 @@
unit. This is an effective way to unit. This is an effective way to
disable compatibility with non-native disable compatibility with non-native
architectures for processes, for architectures for processes, for
example to prohibit execution of 32-bit example to prohibit execution of
x86 binaries on 64-bit x86-64 32-bit x86 binaries on 64-bit x86-64
systems. The special systems. The special
<literal>native</literal> identifier <literal>native</literal> identifier
implicitly maps to the native implicitly maps to the native
@ -1112,14 +1104,8 @@
<literal>native</literal> is included <literal>native</literal> is included
too. By default, this option is set to too. By default, this option is set to
the empty list, i.e. no architecture the empty list, i.e. no architecture
system call filtering is applied. Note system call filtering is
that configuring a system call filter applied.</para></listitem>
with
<varname>SystemCallFilter=</varname>
(above) implies a
<literal>native</literal> architecture
list, unless configured
otherwise.</para></listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

18
src/core/execute.c
View file

@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) {
if (!seccomp) if (!seccomp)
return -ENOMEM; return -ENOMEM;
SET_FOREACH(id, c->syscall_archs, i) { if (c->syscall_archs) {
r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST) SET_FOREACH(id, c->syscall_archs, i) {
continue; r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST)
continue;
if (r < 0) {
seccomp_release(seccomp);
return r;
}
}
} else {
r = seccomp_add_secondary_archs(seccomp);
if (r < 0) { if (r < 0) {
seccomp_release(seccomp); seccomp_release(seccomp);
return r; return r;

18
src/nspawn/nspawn.c
View file

@ -79,6 +79,10 @@
#include "rtnl-util.h" #include "rtnl-util.h"
#include "udev-util.h" #include "udev-util.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
#endif
typedef enum LinkJournal { typedef enum LinkJournal {
LINK_NO, LINK_NO,
LINK_AUTO, LINK_AUTO,
@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
if (!seccomp) if (!seccomp)
return log_oom(); return log_oom();
r = seccomp_add_secondary_archs(seccomp);
if (r < 0 && r != -EEXIST) {
log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
goto finish;
}
r = seccomp_rule_add_exact( r = seccomp_rule_add_exact(
seccomp, seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_ACT_ERRNO(EAFNOSUPPORT),
@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish; goto finish;
} }
#ifdef __x86_64__
r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
if (r < 0 && r != -EEXIST) {
log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
goto finish;
}
#endif
r = seccomp_load(seccomp); r = seccomp_load(seccomp);
if (r < 0) if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r)); log_error("Failed to install seccomp audit filter: %s", strerror(-r));

26
src/shared/seccomp-util.c
View file

@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
return 0; return 0;
} }
int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
#if defined(__i386__) || defined(__x86_64__)
int r;
/* Add in all possible secondary archs we are aware of that
* this kernel might support. */
r = seccomp_arch_add(c, SCMP_ARCH_X86);
if (r < 0 && r != -EEXIST)
return r;
r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
if (r < 0 && r != -EEXIST)
return r;
r = seccomp_arch_add(c, SCMP_ARCH_X32);
if (r < 0 && r != -EEXIST)
return r;
#endif
return 0;
}

2
src/shared/seccomp-util.h
View file

@ -24,3 +24,5 @@
const char* seccomp_arch_to_string(uint32_t c); const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret); int seccomp_arch_from_string(const char *n, uint32_t *ret);
int seccomp_add_secondary_archs(scmp_filter_ctx *c);