diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-09-11 17:45:21 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-09-12 14:06:21 +0200 |
commit | 960e4569e17abf7c84f07b697d57ac7d0418edfc (patch) | |
tree | dd8c180c850f0c97fdf6811b6296e79a6d5b7d6b /src/nspawn/nspawn-seccomp.c | |
parent | 7609340e2f9d5b5fd46fa767dd41184b273d7e48 (diff) | |
download | systemd-960e4569e17abf7c84f07b697d57ac7d0418edfc.tar.gz |
nspawn: implement configurable syscall whitelisting/blacklisting
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.
This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.
(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)
Fixes: #5163
Replaces: #5944
Diffstat (limited to 'src/nspawn/nspawn-seccomp.c')
-rw-r--r-- | src/nspawn/nspawn-seccomp.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 25851401f3..a6f7a7dabc 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -33,13 +33,16 @@ #include "seccomp-util.h" #endif #include "string-util.h" +#include "strv.h" #ifdef HAVE_SECCOMP static int seccomp_add_default_syscall_filter( scmp_filter_ctx ctx, uint32_t arch, - uint64_t cap_list_retain) { + uint64_t cap_list_retain, + char **syscall_whitelist, + char **syscall_blacklist) { static const struct { uint64_t capability; @@ -67,12 +70,13 @@ static int seccomp_add_default_syscall_filter( int r, c = 0; size_t i; + char **p; for (i = 0; i < ELEMENTSOF(blacklist); i++) { if (blacklist[i].capability != 0 && (cap_list_retain & (1ULL << blacklist[i].capability))) continue; - r = seccomp_add_syscall_filter_item(ctx, blacklist[i].name, SCMP_ACT_ERRNO(EPERM)); + r = seccomp_add_syscall_filter_item(ctx, blacklist[i].name, SCMP_ACT_ERRNO(EPERM), syscall_whitelist); if (r < 0) /* If the system call is not known on this architecture, then that's fine, let's ignore it */ log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", blacklist[i].name); @@ -80,15 +84,23 @@ static int seccomp_add_default_syscall_filter( c++; } + STRV_FOREACH(p, syscall_blacklist) { + r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ERRNO(EPERM), syscall_whitelist); + if (r < 0) + log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", *p); + else + c++; + } + return c; } -int setup_seccomp(uint64_t cap_list_retain) { +int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) { uint32_t arch; int r; if (!is_seccomp_available()) { - log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter"); + log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering"); return 0; } @@ -102,7 +114,7 @@ int setup_seccomp(uint64_t cap_list_retain) { if (r < 0) return log_error_errno(r, "Failed to allocate seccomp object: %m"); - n = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain); + n = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist); if (n < 0) return n; @@ -141,7 +153,7 @@ int setup_seccomp(uint64_t cap_list_retain) { #else -int setup_seccomp(uint64_t cap_list_retain) { +int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) { return 0; } |