]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #6811 from fbuihuu/dont-detach-root-DM-dev
[thirdparty/systemd.git] / src / nspawn / nspawn-seccomp.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2016 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <linux/netlink.h>
22 #include <sys/capability.h>
23 #include <sys/types.h>
24
25 #ifdef HAVE_SECCOMP
26 #include <seccomp.h>
27 #endif
28
29 #include "alloc-util.h"
30 #include "log.h"
31 #include "nspawn-seccomp.h"
32 #ifdef HAVE_SECCOMP
33 #include "seccomp-util.h"
34 #endif
35 #include "string-util.h"
36 #include "strv.h"
37
38 #ifdef HAVE_SECCOMP
39
40 static int seccomp_add_default_syscall_filter(
41 scmp_filter_ctx ctx,
42 uint32_t arch,
43 uint64_t cap_list_retain,
44 char **syscall_whitelist,
45 char **syscall_blacklist) {
46
47 static const struct {
48 uint64_t capability;
49 const char* name;
50 } blacklist[] = {
51 { 0, "@obsolete" },
52 { 0, "@keyring" }, /* keyring is not namespaced */
53 { 0, "bpf" },
54 { 0, "kexec_file_load" },
55 { 0, "kexec_load" },
56 { 0, "lookup_dcookie" },
57 { 0, "open_by_handle_at" },
58 { 0, "perf_event_open" },
59 { 0, "quotactl" },
60 { 0, "@swap" },
61 { CAP_SYSLOG, "syslog" },
62 { CAP_SYS_MODULE, "@module" },
63 { CAP_SYS_PACCT, "acct" },
64 { CAP_SYS_PTRACE, "process_vm_readv" },
65 { CAP_SYS_PTRACE, "process_vm_writev" },
66 { CAP_SYS_PTRACE, "ptrace" },
67 { CAP_SYS_RAWIO, "@raw-io" },
68 { CAP_SYS_TIME, "@clock" },
69 };
70
71 int r, c = 0;
72 size_t i;
73 char **p;
74
75 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
76 if (blacklist[i].capability != 0 && (cap_list_retain & (1ULL << blacklist[i].capability)))
77 continue;
78
79 r = seccomp_add_syscall_filter_item(ctx, blacklist[i].name, SCMP_ACT_ERRNO(EPERM), syscall_whitelist);
80 if (r < 0)
81 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
82 log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", blacklist[i].name);
83 else
84 c++;
85 }
86
87 STRV_FOREACH(p, syscall_blacklist) {
88 r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ERRNO(EPERM), syscall_whitelist);
89 if (r < 0)
90 log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", *p);
91 else
92 c++;
93 }
94
95 return c;
96 }
97
98 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
99 uint32_t arch;
100 int r;
101
102 if (!is_seccomp_available()) {
103 log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
104 return 0;
105 }
106
107 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
108 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
109 int n;
110
111 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
112
113 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
114 if (r < 0)
115 return log_error_errno(r, "Failed to allocate seccomp object: %m");
116
117 n = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
118 if (n < 0)
119 return n;
120
121 /*
122 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
123 container. We don't care and just turn off creation of audit sockets.
124
125 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
126 as indication that audit is disabled in the kernel.
127 */
128
129 r = seccomp_rule_add_exact(
130 seccomp,
131 SCMP_ACT_ERRNO(EAFNOSUPPORT),
132 SCMP_SYS(socket),
133 2,
134 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
135 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
136 if (r < 0)
137 log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
138 else
139 n++;
140
141 if (n <= 0) /* no rule added? then skip this architecture */
142 continue;
143
144 r = seccomp_load(seccomp);
145 if (IN_SET(r, -EPERM, -EACCES))
146 return log_error_errno(r, "Failed to install seccomp audit filter: %m");
147 if (r < 0)
148 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
149 }
150
151 return 0;
152 }
153
154 #else
155
156 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
157 return 0;
158 }
159
160 #endif
Unnamed repository; edit this file 'description' to name the repository.