diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-02 14:51:10 +0100 |
|---|---|---|
| committer | The Plumber <50238977+systemd-rhel-bot@users.noreply.github.com> | 2021-06-14 14:14:57 +0200 |
| commit | e706f5df66b7189a7df526aeeb45c86b8c4b057a (patch) | |
| tree | e3ef47a241243013075c368c2d022f2e387c630d | |
| parent | 4e589237979fdf90af38d466abd7fcd852356f02 (diff) | |
| download | systemd-e706f5df66b7189a7df526aeeb45c86b8c4b057a.tar.gz | |
seccomp: allow turning off of seccomp filtering via env var
Fixes: #17504
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
into the right document section)
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
Resolves: #1916835
| -rw-r--r-- | doc/ENVIRONMENT.md | 3 | ||||
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 2 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 19 |
3 files changed, 19 insertions, 5 deletions
diff --git a/doc/ENVIRONMENT.md b/doc/ENVIRONMENT.md index 0e763b6302..36b649afe1 100644 --- a/doc/ENVIRONMENT.md +++ b/doc/ENVIRONMENT.md @@ -117,3 +117,6 @@ systemd-sulogin-shell: * `$SYSTEMD_SULOGIN_FORCE=1` — This skips asking for the root password if the root password is not available (such as when the root account is locked). See `sulogin(8)` for more details. + +* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if + support for it is compiled in and available in the kernel. diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index b56c5b04a8..fba22644da 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -172,7 +172,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys int r; if (!is_seccomp_available()) { - log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering"); + log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering"); return 0; } diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index d91fb4e269..e903512d45 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -12,6 +12,7 @@ #include "af-list.h" #include "alloc-util.h" +#include "env-util.h" #include "macro.h" #include "nsflags.h" #include "process-util.h" @@ -244,10 +245,20 @@ static bool is_seccomp_filter_available(void) { bool is_seccomp_available(void) { static int cached_enabled = -1; - if (cached_enabled < 0) - cached_enabled = - is_basic_seccomp_available() && - is_seccomp_filter_available(); + if (cached_enabled < 0) { + int b; + + b = getenv_bool("SYSTEMD_SECCOMP"); + if (b != 0) { + if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */ + log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring."); + + cached_enabled = + is_basic_seccomp_available() && + is_seccomp_filter_available(); + } else + cached_enabled = false; + } return cached_enabled; } |