]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #8575 from keszybz/non-absolute-paths
[thirdparty/systemd.git] / src / nspawn / nspawn-seccomp.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2016 Lennart Poettering
6 ***/
7
8 #include <errno.h>
9 #include <linux/netlink.h>
10 #include <sys/capability.h>
11 #include <sys/types.h>
12
13 #if HAVE_SECCOMP
14 #include <seccomp.h>
15 #endif
16
17 #include "alloc-util.h"
18 #include "log.h"
19 #include "nspawn-seccomp.h"
20 #if HAVE_SECCOMP
21 #include "seccomp-util.h"
22 #endif
23 #include "string-util.h"
24 #include "strv.h"
25
26 #if HAVE_SECCOMP
27
28 static int seccomp_add_default_syscall_filter(
29 scmp_filter_ctx ctx,
30 uint32_t arch,
31 uint64_t cap_list_retain,
32 char **syscall_whitelist,
33 char **syscall_blacklist) {
34
35 static const struct {
36 uint64_t capability;
37 const char* name;
38 } whitelist[] = {
39 /* Let's use set names where we can */
40 { 0, "@aio" },
41 { 0, "@basic-io" },
42 { 0, "@chown" },
43 { 0, "@default" },
44 { 0, "@file-system" },
45 { 0, "@io-event" },
46 { 0, "@ipc" },
47 { 0, "@mount" },
48 { 0, "@network-io" },
49 { 0, "@process" },
50 { 0, "@resources" },
51 { 0, "@setuid" },
52 { 0, "@signal" },
53 { 0, "@sync" },
54 { 0, "@timer" },
55
56 /* The following four are sets we optionally enable, in case the caps have been configured for it */
57 { CAP_SYS_TIME, "@clock" },
58 { CAP_SYS_MODULE, "@module" },
59 { CAP_SYS_RAWIO, "@raw-io" },
60 { CAP_IPC_LOCK, "@memlock" },
61
62 /* Plus a good set of additional syscalls which are not part of any of the groups above */
63 { 0, "brk" },
64 { 0, "capget" },
65 { 0, "capset" },
66 { 0, "copy_file_range" },
67 { 0, "fadvise64" },
68 { 0, "fadvise64_64" },
69 { 0, "flock" },
70 { 0, "get_mempolicy" },
71 { 0, "getcpu" },
72 { 0, "getpriority" },
73 { 0, "getrandom" },
74 { 0, "ioctl" },
75 { 0, "ioprio_get" },
76 { 0, "kcmp" },
77 { 0, "madvise" },
78 { 0, "mincore" },
79 { 0, "mprotect" },
80 { 0, "mremap" },
81 { 0, "name_to_handle_at" },
82 { 0, "oldolduname" },
83 { 0, "olduname" },
84 { 0, "personality" },
85 { 0, "readahead" },
86 { 0, "readdir" },
87 { 0, "remap_file_pages" },
88 { 0, "sched_get_priority_max" },
89 { 0, "sched_get_priority_min" },
90 { 0, "sched_getaffinity" },
91 { 0, "sched_getattr" },
92 { 0, "sched_getparam" },
93 { 0, "sched_getscheduler" },
94 { 0, "sched_rr_get_interval" },
95 { 0, "sched_yield" },
96 { 0, "seccomp" },
97 { 0, "sendfile" },
98 { 0, "sendfile64" },
99 { 0, "setdomainname" },
100 { 0, "setfsgid" },
101 { 0, "setfsgid32" },
102 { 0, "setfsuid" },
103 { 0, "setfsuid32" },
104 { 0, "sethostname" },
105 { 0, "setpgid" },
106 { 0, "setsid" },
107 { 0, "splice" },
108 { 0, "sysinfo" },
109 { 0, "tee" },
110 { 0, "umask" },
111 { 0, "uname" },
112 { 0, "userfaultfd" },
113 { 0, "vmsplice" },
114
115 /* The following individual syscalls are added depending on specified caps */
116 { CAP_SYS_PACCT, "acct" },
117 { CAP_SYS_PTRACE, "process_vm_readv" },
118 { CAP_SYS_PTRACE, "process_vm_writev" },
119 { CAP_SYS_PTRACE, "ptrace" },
120 { CAP_SYS_BOOT, "reboot" },
121 { CAP_SYSLOG, "syslog" },
122 { CAP_SYS_TTY_CONFIG, "vhangup" },
123
124 /*
125 * The following syscalls and groups are knowingly excluded:
126 *
127 * @cpu-emulation
128 * @keyring (NB: keyring is not namespaced!)
129 * @obsolete
130 * @swap
131 *
132 * bpf (NB: bpffs is not namespaced!)
133 * fanotify_init
134 * fanotify_mark
135 * kexec_file_load
136 * kexec_load
137 * lookup_dcookie
138 * nfsservctl
139 * open_by_handle_at
140 * perf_event_open
141 * pkey_alloc
142 * pkey_free
143 * pkey_mprotect
144 * quotactl
145 */
146 };
147
148 int r, c = 0;
149 size_t i;
150 char **p;
151
152 for (i = 0; i < ELEMENTSOF(whitelist); i++) {
153 if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
154 continue;
155
156 r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist);
157 if (r < 0)
158 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
159 log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
160 else
161 c++;
162 }
163
164 STRV_FOREACH(p, syscall_whitelist) {
165 r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist);
166 if (r < 0)
167 log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
168 else
169 c++;
170 }
171
172 return c;
173 }
174
175 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
176 uint32_t arch;
177 int r;
178
179 if (!is_seccomp_available()) {
180 log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
181 return 0;
182 }
183
184 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
185 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
186
187 log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));
188
189 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
190 if (r < 0)
191 return log_error_errno(r, "Failed to allocate seccomp object: %m");
192
193 r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
194 if (r < 0)
195 return r;
196
197 r = seccomp_load(seccomp);
198 if (IN_SET(r, -EPERM, -EACCES))
199 return log_error_errno(r, "Failed to install seccomp filter: %m");
200 if (r < 0)
201 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
202 }
203
204 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
205 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
206
207 log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));
208
209 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
210 if (r < 0)
211 return log_error_errno(r, "Failed to allocate seccomp object: %m");
212
213 /*
214 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
215 container. We don't care and just turn off creation of audit sockets.
216
217 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
218 as indication that audit is disabled in the kernel.
219 */
220
221 r = seccomp_rule_add_exact(
222 seccomp,
223 SCMP_ACT_ERRNO(EAFNOSUPPORT),
224 SCMP_SYS(socket),
225 2,
226 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
227 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
228 if (r < 0) {
229 log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
230 continue;
231 }
232
233 r = seccomp_load(seccomp);
234 if (IN_SET(r, -EPERM, -EACCES))
235 return log_error_errno(r, "Failed to install seccomp audit filter: %m");
236 if (r < 0)
237 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
238 }
239
240 return 0;
241 }
242
243 #else
244
245 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
246 return 0;
247 }
248
249 #endif
Unnamed repository; edit this file 'description' to name the repository.