]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
4 #include <linux/netlink.h>
5 #include <sys/capability.h>
6 #include <sys/socket.h>
13 #include "alloc-util.h"
15 #include "nspawn-seccomp.h"
17 #include "seccomp-util.h"
19 #include "string-util.h"
24 static int add_syscall_filters(
27 uint64_t cap_list_retain
,
28 char **syscall_allow_list
,
29 char **syscall_deny_list
) {
35 /* Let's use set names where we can */
40 { 0, "@file-system" },
52 /* The following four are sets we optionally enable, in case the caps have been configured for it */
53 { CAP_SYS_TIME
, "@clock" },
54 { CAP_SYS_MODULE
, "@module" },
55 { CAP_SYS_RAWIO
, "@raw-io" },
56 { CAP_IPC_LOCK
, "@memlock" },
58 /* Plus a good set of additional syscalls which are not part of any of the groups above */
62 { 0, "copy_file_range" },
64 { 0, "fadvise64_64" },
66 { 0, "get_mempolicy" },
77 { 0, "name_to_handle_at" },
83 { 0, "remap_file_pages" },
84 { 0, "sched_get_priority_max" },
85 { 0, "sched_get_priority_min" },
86 { 0, "sched_getaffinity" },
87 { 0, "sched_getattr" },
88 { 0, "sched_getparam" },
89 { 0, "sched_getscheduler" },
90 { 0, "sched_rr_get_interval" },
95 { 0, "setdomainname" },
100 { 0, "sethostname" },
108 { 0, "userfaultfd" },
111 /* The following individual syscalls are added depending on specified caps */
112 { CAP_SYS_PACCT
, "acct" },
113 { CAP_SYS_PTRACE
, "process_vm_readv" },
114 { CAP_SYS_PTRACE
, "process_vm_writev" },
115 { CAP_SYS_PTRACE
, "ptrace" },
116 { CAP_SYS_BOOT
, "reboot" },
117 { CAP_SYSLOG
, "syslog" },
118 { CAP_SYS_TTY_CONFIG
, "vhangup" },
121 * The following syscalls and groups are knowingly excluded:
124 * @keyring (NB: keyring is not namespaced!)
129 * bpf (NB: bpffs is not namespaced!)
142 _cleanup_strv_free_
char **added
= NULL
;
146 for (size_t i
= 0; i
< ELEMENTSOF(allow_list
); i
++) {
147 if (allow_list
[i
].capability
!= 0 && (cap_list_retain
& (1ULL << allow_list
[i
].capability
)) == 0)
150 r
= seccomp_add_syscall_filter_item(ctx
,
157 return log_error_errno(r
, "Failed to add syscall filter item %s: %m", allow_list
[i
].name
);
160 STRV_FOREACH(p
, syscall_allow_list
) {
161 r
= seccomp_add_syscall_filter_item(ctx
, *p
, SCMP_ACT_ALLOW
, syscall_deny_list
, true, &added
);
163 log_warning_errno(r
, "Failed to add rule for system call %s on %s, ignoring: %m",
164 *p
, seccomp_arch_to_string(arch
));
167 /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
169 r
= seccomp_add_syscall_filter_item(ctx
, "@known", SCMP_ACT_ERRNO(EPERM
), added
, true, NULL
);
171 log_warning_errno(r
, "Failed to add rule for @known set on %s, ignoring: %m",
172 seccomp_arch_to_string(arch
));
174 #if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
175 /* We have a large filter here, so let's turn on the binary tree mode if possible. */
176 r
= seccomp_attr_set(ctx
, SCMP_FLTATR_CTL_OPTIMIZE
, 2);
184 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_allow_list
, char **syscall_deny_list
) {
188 if (!is_seccomp_available()) {
189 log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
193 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
194 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
196 log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch
));
198 /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
199 * in the @known set, see above. */
200 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ERRNO(ENOSYS
));
202 return log_error_errno(r
, "Failed to allocate seccomp object: %m");
204 r
= add_syscall_filters(seccomp
, arch
, cap_list_retain
, syscall_allow_list
, syscall_deny_list
);
208 r
= seccomp_load(seccomp
);
209 if (ERRNO_IS_SECCOMP_FATAL(r
))
210 return log_error_errno(r
, "Failed to install seccomp filter: %m");
212 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
215 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
216 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
218 log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch
));
220 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
222 return log_error_errno(r
, "Failed to allocate seccomp object: %m");
225 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
226 container. We don't care and just turn off creation of audit sockets.
228 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
229 as indication that audit is disabled in the kernel.
232 r
= seccomp_rule_add_exact(
234 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
237 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
238 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
240 log_debug_errno(r
, "Failed to add audit seccomp rule, ignoring: %m");
244 r
= seccomp_load(seccomp
);
245 if (ERRNO_IS_SECCOMP_FATAL(r
))
246 return log_error_errno(r
, "Failed to install seccomp audit filter: %m");
248 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
256 int setup_seccomp(uint64_t cap_list_retain
, char **syscall_allow_list
, char **syscall_deny_list
) {