]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <linux/netlink.h>
22 #include <sys/capability.h>
23 #include <sys/types.h>
32 #include "seccomp-util.h"
35 #include "nspawn-seccomp.h"
39 static int seccomp_add_default_syscall_filter(scmp_filter_ctx ctx
,
40 uint64_t cap_list_retain
) {
47 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
) },
48 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
) },
49 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
) },
50 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
) },
51 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
) },
52 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
) },
53 { CAP_SYS_MODULE
, SCMP_SYS(init_module
) },
54 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
) },
55 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
) },
56 { CAP_SYSLOG
, SCMP_SYS(syslog
) },
59 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
60 if (cap_list_retain
& (1ULL << blacklist
[i
].capability
))
63 r
= seccomp_rule_add(ctx
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
65 continue; /* unknown syscall */
67 log_error_errno(r
, "Failed to block syscall: %m");
75 int setup_seccomp(uint64_t cap_list_retain
) {
76 scmp_filter_ctx seccomp
;
79 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
83 r
= seccomp_add_secondary_archs(seccomp
);
85 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
89 r
= seccomp_add_default_syscall_filter(seccomp
, cap_list_retain
);
94 Audit is broken in containers, much of the userspace audit
95 hookup will fail if running inside a container. We don't
96 care and just turn off creation of audit sockets.
98 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
99 with EAFNOSUPPORT which audit userspace uses as indication
100 that audit is disabled in the kernel.
103 r
= seccomp_rule_add(
105 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
108 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
109 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
111 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
115 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
117 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
121 r
= seccomp_load(seccomp
);
123 log_debug_errno(r
, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
128 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
133 seccomp_release(seccomp
);
139 int setup_seccomp(uint64_t cap_list_retain
) {