diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
commit | e9642be2cce7f5e90406980092a6f71f504a16af (patch) | |
tree | 261c0a274329240ef9c79f618f28fcb51f0a6a07 | |
parent | f3d5485b805de60ee71810eeb58e82d44ce24fe1 (diff) | |
download | systemd-e9642be2cce7f5e90406980092a6f71f504a16af.tar.gz |
seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for
nspawn.
-rw-r--r-- | Makefile.am | 42 | ||||
-rw-r--r-- | man/systemd.exec.xml | 22 | ||||
-rw-r--r-- | src/core/execute.c | 18 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 18 | ||||
-rw-r--r-- | src/shared/seccomp-util.c | 26 | ||||
-rw-r--r-- | src/shared/seccomp-util.h | 2 |
6 files changed, 89 insertions, 39 deletions
diff --git a/Makefile.am b/Makefile.am index 83c70a63e2..1a7f9fb5b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -196,7 +196,6 @@ AM_CPPFLAGS = \ -I $(top_srcdir)/src/libsystemd/sd-bus \ -I $(top_srcdir)/src/libsystemd/sd-event \ -I $(top_srcdir)/src/libsystemd/sd-rtnl \ - $(SECCOMP_CFLAGS) \ $(OUR_CPPFLAGS) AM_CFLAGS = $(OUR_CFLAGS) @@ -771,12 +770,6 @@ nodist_libsystemd_shared_la_SOURCES = \ src/shared/errno-from-name.h \ src/shared/errno-to-name.h -if HAVE_SECCOMP -libsystemd_shared_la_SOURCES += \ - src/shared/seccomp-util.h \ - src/shared/seccomp-util.c -endif - # ------------------------------------------------------------------------------ noinst_LTLIBRARIES += \ libsystemd-units.la @@ -817,6 +810,26 @@ libsystemd_label_la_LIBADD = \ $(SELINUX_LIBS) # ------------------------------------------------------------------------------ + +if HAVE_SECCOMP + +noinst_LTLIBRARIES += \ + libsystemd-seccomp.la + +libsystemd_seccomp_la_SOURCES = \ + src/shared/seccomp-util.h \ + src/shared/seccomp-util.c + +libsystemd_seccomp_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SECCOMP_CFLAGS) + +libsystemd_seccomp_la_LIBADD = \ + $(SECCOMP_LIBS) + +endif + +# ------------------------------------------------------------------------------ noinst_LTLIBRARIES += \ libsystemd-logs.la @@ -999,6 +1012,7 @@ libsystemd_core_la_CFLAGS = \ $(LIBWRAP_CFLAGS) \ $(PAM_CFLAGS) \ $(AUDIT_CFLAGS) \ + $(CAP_CFLAGS) \ $(KMOD_CFLAGS) \ $(SECCOMP_CFLAGS) \ -pthread @@ -1015,8 +1029,13 @@ libsystemd_core_la_LIBADD = \ $(PAM_LIBS) \ $(AUDIT_LIBS) \ $(CAP_LIBS) \ - $(SECCOMP_LIBS) \ - $(KMOD_LIBS) + $(KMOD_LIBS) \ + $(SECCOMP_LIBS) + +if HAVE_SECCOMP +libsystemd_core_la_LIBADD += \ + libsystemd-seccomp.la +endif src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf $(AM_V_at)$(MKDIR_P) $(dir $@) @@ -1846,6 +1865,10 @@ systemd_nspawn_SOURCES = \ src/core/loopback-setup.c \ src/core/loopback-setup.h +systemd_nspawn_CFLAGS = \ + $(AM_CFLAGS) \ + $(SECCOMP_CFLAGS) + systemd_nspawn_LDADD = \ libsystemd-label.la \ libsystemd-capability.la \ @@ -1853,6 +1876,7 @@ systemd_nspawn_LDADD = \ libsystemd-daemon-internal.la \ libudev-internal.la \ libsystemd-shared.la \ + libsystemd-seccomp.la \ $(SECCOMP_LIBS) # ------------------------------------------------------------------------------ diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 252992bc60..e82e1f59f0 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1050,14 +1050,6 @@ <function>write</function> will be removed from the set.) </para></listitem> - - <para>Note that setting - <varname>SystemCallFilter=</varname> - implies a - <varname>SystemCallArchitectures=</varname> - setting of <literal>native</literal> - (see below), unless that option is - configured otherwise.</para> </varlistentry> <varlistentry> @@ -1099,8 +1091,8 @@ unit. This is an effective way to disable compatibility with non-native architectures for processes, for - example to prohibit execution of 32-bit - x86 binaries on 64-bit x86-64 + example to prohibit execution of + 32-bit x86 binaries on 64-bit x86-64 systems. The special <literal>native</literal> identifier implicitly maps to the native @@ -1112,14 +1104,8 @@ <literal>native</literal> is included too. By default, this option is set to the empty list, i.e. no architecture - system call filtering is applied. Note - that configuring a system call filter - with - <varname>SystemCallFilter=</varname> - (above) implies a - <literal>native</literal> architecture - list, unless configured - otherwise.</para></listitem> + system call filtering is + applied.</para></listitem> </varlistentry> </variablelist> diff --git a/src/core/execute.c b/src/core/execute.c index be15fb95ee..4b1177a7e5 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) { if (!seccomp) return -ENOMEM; - SET_FOREACH(id, c->syscall_archs, i) { - r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); - if (r == -EEXIST) - continue; + if (c->syscall_archs) { + + SET_FOREACH(id, c->syscall_archs, i) { + r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); + if (r == -EEXIST) + continue; + if (r < 0) { + seccomp_release(seccomp); + return r; + } + } + } else { + + r = seccomp_add_secondary_archs(seccomp); if (r < 0) { seccomp_release(seccomp); return r; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 5a2467d6e2..54f7187754 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -79,6 +79,10 @@ #include "rtnl-util.h" #include "udev-util.h" +#ifdef HAVE_SECCOMP +#include "seccomp-util.h" +#endif + typedef enum LinkJournal { LINK_NO, LINK_AUTO, @@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) { if (!seccomp) return log_oom(); + r = seccomp_add_secondary_archs(seccomp); + if (r < 0 && r != -EEXIST) { + log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r)); + goto finish; + } + r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EAFNOSUPPORT), @@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) { goto finish; } -#ifdef __x86_64__ - r = seccomp_arch_add(seccomp, SCMP_ARCH_X86); - if (r < 0 && r != -EEXIST) { - log_error("Failed to add x86 to seccomp filter: %s", strerror(-r)); - goto finish; - } -#endif - r = seccomp_load(seccomp); if (r < 0) log_error("Failed to install seccomp audit filter: %s", strerror(-r)); diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index ee39cc7c1d..d73a74912e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { return 0; } + +int seccomp_add_secondary_archs(scmp_filter_ctx *c) { + +#if defined(__i386__) || defined(__x86_64__) + int r; + + /* Add in all possible secondary archs we are aware of that + * this kernel might support. */ + + r = seccomp_arch_add(c, SCMP_ARCH_X86); + if (r < 0 && r != -EEXIST) + return r; + + r = seccomp_arch_add(c, SCMP_ARCH_X86_64); + if (r < 0 && r != -EEXIST) + return r; + + r = seccomp_arch_add(c, SCMP_ARCH_X32); + if (r < 0 && r != -EEXIST) + return r; + +#endif + + return 0; + +} diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 6b63902f5d..9a51a85b49 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -24,3 +24,5 @@ const char* seccomp_arch_to_string(uint32_t c); int seccomp_arch_from_string(const char *n, uint32_t *ret); + +int seccomp_add_secondary_archs(scmp_filter_ctx *c); |