diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2017-10-03 07:20:05 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-10-03 07:20:05 +0200 |
| commit | 09d3020b0a4da6fcd5f23b93ac327c5619b5f871 (patch) | |
| tree | fd6140622711194a5a02645b0d69708c85be47aa /src/shared/seccomp-util.c | |
| parent | 8502cadd4c47ef853d10622957541bbcee43b96c (diff) | |
| download | systemd-09d3020b0a4da6fcd5f23b93ac327c5619b5f871.tar.gz | |
seccomp: remove '@credentials' syscall set (#6958)
This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.
Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.
The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
Diffstat (limited to 'src/shared/seccomp-util.c')
| -rw-r--r-- | src/shared/seccomp-util.c | 49 |
1 files changed, 21 insertions, 28 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 5e78a088e9..a7720c53dc 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -281,8 +281,28 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "futex\0" "get_robust_list\0" "get_thread_area\0" + "getegid\0" + "getegid32\0" + "geteuid\0" + "geteuid32\0" + "getgid\0" + "getgid32\0" + "getgroups\0" + "getgroups32\0" + "getpgid\0" + "getpgrp\0" + "getpid\0" + "getppid\0" + "getresgid\0" + "getresgid32\0" + "getresuid\0" + "getresuid32\0" "getrlimit\0" /* make sure processes can query stack size and such */ + "getsid\0" + "gettid\0" "gettimeofday\0" + "getuid\0" + "getuid32\0" "membarrier\0" "nanosleep\0" "pause\0" @@ -333,32 +353,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "vm86\0" "vm86old\0" }, - [SYSCALL_FILTER_SET_CREDENTIALS] = { - .name = "@credentials", - .help = "Query own process credentials", - .value = - "capget\0" - "getegid\0" - "getegid32\0" - "geteuid\0" - "geteuid32\0" - "getgid\0" - "getgid32\0" - "getgroups\0" - "getgroups32\0" - "getpgid\0" - "getpgrp\0" - "getpid\0" - "getppid\0" - "getresgid\0" - "getresgid32\0" - "getresuid\0" - "getresuid32\0" - "getsid\0" - "gettid\0" - "getuid\0" - "getuid32\0" - }, [SYSCALL_FILTER_SET_DEBUG] = { .name = "@debug", .help = "Debugging, performance monitoring and tracing functionality", @@ -645,11 +639,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .help = "Process control, execution, namespaceing operations", .value = "arch_prctl\0" + "capget\0" /* Able to query arbitrary processes */ "clone\0" "execveat\0" "fork\0" - "getpid\0" - "getppid\0" "getrusage\0" "gettid\0" "kill\0" |