]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2016 Lennart Poettering
9 #include <linux/netlink.h>
10 #include <sys/capability.h>
11 #include <sys/types.h>
17 #include "alloc-util.h"
19 #include "nspawn-seccomp.h"
21 #include "seccomp-util.h"
23 #include "string-util.h"
28 static int seccomp_add_default_syscall_filter(
31 uint64_t cap_list_retain
,
32 char **syscall_whitelist
,
33 char **syscall_blacklist
) {
39 /* Let's use set names where we can */
44 { 0, "@file-system" },
56 /* The following four are sets we optionally enable, in case the caps have been configured for it */
57 { CAP_SYS_TIME
, "@clock" },
58 { CAP_SYS_MODULE
, "@module" },
59 { CAP_SYS_RAWIO
, "@raw-io" },
60 { CAP_IPC_LOCK
, "@memlock" },
62 /* Plus a good set of additional syscalls which are not part of any of the groups above */
66 { 0, "copy_file_range" },
68 { 0, "fadvise64_64" },
70 { 0, "get_mempolicy" },
81 { 0, "name_to_handle_at" },
87 { 0, "remap_file_pages" },
88 { 0, "sched_get_priority_max" },
89 { 0, "sched_get_priority_min" },
90 { 0, "sched_getaffinity" },
91 { 0, "sched_getattr" },
92 { 0, "sched_getparam" },
93 { 0, "sched_getscheduler" },
94 { 0, "sched_rr_get_interval" },
99 { 0, "setdomainname" },
104 { 0, "sethostname" },
112 { 0, "userfaultfd" },
115 /* The following individual syscalls are added depending on specified caps */
116 { CAP_SYS_PACCT
, "acct" },
117 { CAP_SYS_PTRACE
, "process_vm_readv" },
118 { CAP_SYS_PTRACE
, "process_vm_writev" },
119 { CAP_SYS_PTRACE
, "ptrace" },
120 { CAP_SYS_BOOT
, "reboot" },
121 { CAP_SYSLOG
, "syslog" },
122 { CAP_SYS_TTY_CONFIG
, "vhangup" },
125 * The following syscalls and groups are knowingly excluded:
128 * @keyring (NB: keyring is not namespaced!)
132 * bpf (NB: bpffs is not namespaced!)
152 for (i
= 0; i
< ELEMENTSOF(whitelist
); i
++) {
153 if (whitelist
[i
].capability
!= 0 && (cap_list_retain
& (1ULL << whitelist
[i
].capability
)) == 0)
156 r
= seccomp_add_syscall_filter_item(ctx
, whitelist
[i
].name
, SCMP_ACT_ALLOW
, syscall_blacklist
);
158 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
159 log_debug_errno(r
, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist
[i
].name
, seccomp_arch_to_string(arch
));
164 STRV_FOREACH(p
, syscall_whitelist
) {
165 r
= seccomp_add_syscall_filter_item(ctx
, *p
, SCMP_ACT_ALLOW
, syscall_blacklist
);
167 log_debug_errno(r
, "Failed to add rule for system call %s on %s, ignoring: %m", *p
, seccomp_arch_to_string(arch
));
175 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_whitelist
, char **syscall_blacklist
) {
179 if (!is_seccomp_available()) {
180 log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
184 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
185 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
187 log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch
));
189 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ERRNO(EPERM
));
191 return log_error_errno(r
, "Failed to allocate seccomp object: %m");
193 r
= seccomp_add_default_syscall_filter(seccomp
, arch
, cap_list_retain
, syscall_whitelist
, syscall_blacklist
);
197 r
= seccomp_load(seccomp
);
198 if (IN_SET(r
, -EPERM
, -EACCES
))
199 return log_error_errno(r
, "Failed to install seccomp filter: %m");
201 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
204 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
205 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
207 log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch
));
209 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
211 return log_error_errno(r
, "Failed to allocate seccomp object: %m");
214 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
215 container. We don't care and just turn off creation of audit sockets.
217 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
218 as indication that audit is disabled in the kernel.
221 r
= seccomp_rule_add_exact(
223 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
226 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
227 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
229 log_debug_errno(r
, "Failed to add audit seccomp rule, ignoring: %m");
233 r
= seccomp_load(seccomp
);
234 if (IN_SET(r
, -EPERM
, -EACCES
))
235 return log_error_errno(r
, "Failed to install seccomp audit filter: %m");
237 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
245 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_whitelist
, char **syscall_blacklist
) {