shared: Add ProtectKernelLogs property

Add seccomp_protect_syslog, which adds a filter rule for the syslog system call.
2019-11-04 17:17:01 -08:00 · 2019-11-04 17:17:01 -08:00 · 620dbdd248
parent a602d93e44
commit 620dbdd248
3 changed files with 35 additions and 2 deletions
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@ -818,8 +818,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                       "PrivateDevices", "PrivateNetwork", "PrivateUsers", "PrivateMounts",
                       "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime",
                       "DynamicUser", "RemoveIPC", "ProtectKernelTunables", "ProtectKernelModules",
-                       "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality",
-                       "ProtectHostname", "RestrictSUIDSGID"))
+                       "ProtectKernelLogs", "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork",
+                       "LockPersonality", "ProtectHostname", "RestrictSUIDSGID"))
                return bus_append_parse_boolean(m, field, eq);

        if (STR_IN_SET(field,
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1281,6 +1281,38 @@ int seccomp_protect_sysctl(void) {
        return 0;
 }

+int seccomp_protect_syslog(void) {
+        uint32_t arch;
+        int r;
+
+        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+
+                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+                if (r < 0)
+                        return r;
+
+                r = seccomp_rule_add_exact(
+                                seccomp,
+                                SCMP_ACT_ERRNO(EPERM),
+                                SCMP_SYS(syslog),
+                                0);
+
+                if (r < 0) {
+                        log_debug_errno(r, "Failed to add syslog() rule for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+                        continue;
+                }
+
+                r = seccomp_load(seccomp);
+                if (ERRNO_IS_SECCOMP_FATAL(r))
+                        return r;
+                if (r < 0)
+                        log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+        }
+
+        return 0;
+}
+
 int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
        uint32_t arch;
        int r;
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -82,6 +82,7 @@ int seccomp_parse_syscall_filter(
 int seccomp_restrict_archs(Set *archs);
 int seccomp_restrict_namespaces(unsigned long retain);
 int seccomp_protect_sysctl(void);
+int seccomp_protect_syslog(void);
 int seccomp_restrict_address_families(Set *address_families, bool whitelist);
 int seccomp_restrict_realtime(void);
 int seccomp_memory_deny_write_execute(void);