From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Fri, 21 Aug 2020 15:23:48 +0000 (+0200)
Subject: nspawn: return ENOSYS by default, EPERM for "known" calls
X-Git-Tag: v247-rc1~375^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3573e032f26724949e86626eace058d006b8bf70;p=thirdparty%2Fsystemd.git

nspawn: return ENOSYS by default, EPERM for "known" calls
---

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 5b0ba465946..2a64cf82586 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -21,7 +21,7 @@
 
 #if HAVE_SECCOMP
 
-static int seccomp_add_default_syscall_filter(
+static int add_syscall_filters(
                 scmp_filter_ctx ctx,
                 uint32_t arch,
                 uint64_t cap_list_retain,
@@ -139,6 +139,7 @@ static int seccomp_add_default_syscall_filter(
                  */
         };
 
+        _cleanup_strv_free_ char **added = NULL;
         char **p;
         int r;
 
@@ -151,18 +152,25 @@ static int seccomp_add_default_syscall_filter(
                                                     SCMP_ACT_ALLOW,
                                                     syscall_deny_list,
                                                     false,
-                                                    NULL);
+                                                    &added);
                 if (r < 0)
                         return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
         }
 
         STRV_FOREACH(p, syscall_allow_list) {
-                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, NULL);
+                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);
                 if (r < 0)
                         log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                           *p, seccomp_arch_to_string(arch));
         }
 
+        /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
+         * syscalls. */
+        r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
+        if (r < 0)
+                log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
+                                  seccomp_arch_to_string(arch));
+
         return 0;
 }
 
@@ -180,11 +188,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
 
                 log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));
 
-                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
+                /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
+                 * in the @known set, see above. */
+                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
                 if (r < 0)
                         return log_error_errno(r, "Failed to allocate seccomp object: %m");
 
-                r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
+                r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
                 if (r < 0)
                         return r;