]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <linux/netlink.h>
22 #include <sys/capability.h>
23 #include <sys/types.h>
29 #include "alloc-util.h"
31 #include "nspawn-seccomp.h"
33 #include "seccomp-util.h"
35 #include "string-util.h"
40 static int seccomp_add_default_syscall_filter(
43 uint64_t cap_list_retain
,
44 char **syscall_whitelist
,
45 char **syscall_blacklist
) {
52 { 0, "@keyring" }, /* keyring is not namespaced */
54 { 0, "kexec_file_load" },
56 { 0, "lookup_dcookie" },
57 { 0, "open_by_handle_at" },
58 { 0, "perf_event_open" },
61 { CAP_SYSLOG
, "syslog" },
62 { CAP_SYS_MODULE
, "@module" },
63 { CAP_SYS_PACCT
, "acct" },
64 { CAP_SYS_PTRACE
, "process_vm_readv" },
65 { CAP_SYS_PTRACE
, "process_vm_writev" },
66 { CAP_SYS_PTRACE
, "ptrace" },
67 { CAP_SYS_RAWIO
, "@raw-io" },
68 { CAP_SYS_TIME
, "@clock" },
75 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
76 if (blacklist
[i
].capability
!= 0 && (cap_list_retain
& (1ULL << blacklist
[i
].capability
)))
79 r
= seccomp_add_syscall_filter_item(ctx
, blacklist
[i
].name
, SCMP_ACT_ERRNO(EPERM
), syscall_whitelist
);
81 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
82 log_debug_errno(r
, "Failed to add rule for system call %s, ignoring: %m", blacklist
[i
].name
);
87 STRV_FOREACH(p
, syscall_blacklist
) {
88 r
= seccomp_add_syscall_filter_item(ctx
, *p
, SCMP_ACT_ERRNO(EPERM
), syscall_whitelist
);
90 log_debug_errno(r
, "Failed to add rule for system call %s, ignoring: %m", *p
);
98 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_whitelist
, char **syscall_blacklist
) {
102 if (!is_seccomp_available()) {
103 log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
107 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
108 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
111 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
113 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
115 return log_error_errno(r
, "Failed to allocate seccomp object: %m");
117 n
= seccomp_add_default_syscall_filter(seccomp
, arch
, cap_list_retain
, syscall_whitelist
, syscall_blacklist
);
122 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
123 container. We don't care and just turn off creation of audit sockets.
125 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
126 as indication that audit is disabled in the kernel.
129 r
= seccomp_rule_add_exact(
131 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
134 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
135 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
137 log_debug_errno(r
, "Failed to add audit seccomp rule, ignoring: %m");
141 if (n
<= 0) /* no rule added? then skip this architecture */
144 r
= seccomp_load(seccomp
);
145 if (IN_SET(r
, -EPERM
, -EACCES
))
146 return log_error_errno(r
, "Failed to install seccomp audit filter: %m");
148 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
156 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_whitelist
, char **syscall_blacklist
) {