diff options
| author | Kevin Kuehler <keur@xcf.berkeley.edu> | 2019-11-10 01:17:01 -0800 |
|---|---|---|
| committer | Kevin Kuehler <keur@xcf.berkeley.edu> | 2019-11-14 12:58:43 -0800 |
| commit | 94a7b2759d39fcfed1381ac324cc24a83ec4d1be (patch) | |
| tree | f0d16d22a0c3429b1d2f2a54adb1e112a8fec757 /src | |
| parent | 07cab0f72b084644f12dc3083f880514250590fe (diff) | |
| download | systemd-94a7b2759d39fcfed1381ac324cc24a83ec4d1be.tar.gz | |
core: ProtectKernelLogs= mask kmsg in proc and sys
Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/execute.c | 2 | ||||
| -rw-r--r-- | src/core/namespace.c | 15 | ||||
| -rw-r--r-- | src/core/namespace.h | 1 |
3 files changed, 17 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 89c485a19a..8ab4b18dc7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1872,6 +1872,7 @@ static bool exec_needs_mount_namespace( context->protect_home != PROTECT_HOME_NO || context->protect_kernel_tunables || context->protect_kernel_modules || + context->protect_kernel_logs || context->protect_control_groups) return true; @@ -2507,6 +2508,7 @@ static int apply_mount_namespace( .protect_control_groups = context->protect_control_groups, .protect_kernel_tunables = context->protect_kernel_tunables, .protect_kernel_modules = context->protect_kernel_modules, + .protect_kernel_logs = context->protect_kernel_logs, .protect_hostname = context->protect_hostname, .mount_apivfs = context->mount_apivfs, .private_mounts = context->private_mounts, diff --git a/src/core/namespace.c b/src/core/namespace.c index df0455b7eb..bbb372459b 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -109,6 +109,12 @@ static const MountEntry protect_kernel_modules_table[] = { { "/usr/lib/modules", INACCESSIBLE, true }, }; +/* ProtectKernelLogs= option */ +static const MountEntry protect_kernel_logs_table[] = { + { "/proc/kmsg", INACCESSIBLE, true }, + { "/dev/kmsg", INACCESSIBLE, true }, +}; + /* * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of * system should be protected by ProtectSystem= @@ -1147,8 +1153,9 @@ static size_t namespace_calculate_mounts( n_temporary_filesystems + ns_info->private_dev + (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + - (ns_info->protect_control_groups ? 1 : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + + (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) + + (ns_info->protect_control_groups ? 1 : 0) + protect_home_cnt + protect_system_cnt + (ns_info->protect_hostname ? 2 : 0) + (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0); @@ -1319,6 +1326,12 @@ int setup_namespace( goto finish; } + if (ns_info->protect_kernel_logs) { + r = append_static_mounts(&m, protect_kernel_logs_table, ELEMENTSOF(protect_kernel_logs_table), ns_info->ignore_protect_paths); + if (r < 0) + goto finish; + } + if (ns_info->protect_control_groups) { *(m++) = (MountEntry) { .path_const = "/sys/fs/cgroup", diff --git a/src/core/namespace.h b/src/core/namespace.h index e5cd8e5313..60a6abcd45 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -51,6 +51,7 @@ struct NamespaceInfo { bool protect_control_groups:1; bool protect_kernel_tunables:1; bool protect_kernel_modules:1; + bool protect_kernel_logs:1; bool mount_apivfs:1; bool protect_hostname:1; }; |