From fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Sun, 26 Jan 2020 12:23:33 -0800 Subject: [PATCH] core: shared: Add ProtectClock= to systemd.exec --- src/core/dbus-execute.c | 3 +++ src/core/execute.c | 22 ++++++++++++++++++++++ src/core/execute.h | 1 + src/core/load-fragment-gperf.gperf.m4 | 1 + src/core/unit.c | 9 +++++++++ src/shared/bus-unit-util.c | 1 + 6 files changed, 37 insertions(+) diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index c6772ba8431..4f412649c83 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -1284,6 +1284,9 @@ int bus_exec_context_set_transient_property( if (streq(name, "ProtectKernelLogs")) return bus_set_transient_bool(u, name, &c->protect_kernel_logs, message, flags, error); + if (streq(name, "ProtectClock")) + return bus_set_transient_bool(u, name, &c->protect_clock, message, flags, error); + if (streq(name, "ProtectControlGroups")) return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error); diff --git a/src/core/execute.c b/src/core/execute.c index f3d2005637f..59d7714f2c6 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1402,6 +1402,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) { c->restrict_realtime || c->restrict_suid_sgid || exec_context_restrict_namespaces_set(c) || + c->protect_clock || c->protect_kernel_tunables || c->protect_kernel_modules || c->protect_kernel_logs || @@ -1564,6 +1565,19 @@ static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) { return seccomp_protect_syslog(); } +static int apply_protect_clock(const Unit *u, const ExecContext *c) { + assert(u); + assert(c); + + if (!c->protect_clock) + return 0; + + if (skip_seccomp_unavailable(u, "ProtectClock=")) + return 0; + + return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false); +} + static int apply_private_devices(const Unit *u, const ExecContext *c) { assert(u); assert(c); @@ -3797,6 +3811,12 @@ static int exec_child( return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m"); } + r = apply_protect_clock(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; + return log_unit_error_errno(unit, r, "Failed to apply clock restrictions: %m"); + } + r = apply_private_devices(unit, context); if (r < 0) { *exit_status = EXIT_SECCOMP; @@ -4437,6 +4457,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { "%sProtectKernelTunables: %s\n" "%sProtectKernelModules: %s\n" "%sProtectKernelLogs: %s\n" + "%sProtectClock: %s\n" "%sProtectControlGroups: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateUsers: %s\n" @@ -4458,6 +4479,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->protect_kernel_tunables), prefix, yes_no(c->protect_kernel_modules), prefix, yes_no(c->protect_kernel_logs), + prefix, yes_no(c->protect_clock), prefix, yes_no(c->protect_control_groups), prefix, yes_no(c->private_network), prefix, yes_no(c->private_users), diff --git a/src/core/execute.h b/src/core/execute.h index c923b1fa213..5aacac4a40e 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -258,6 +258,7 @@ struct ExecContext { bool protect_kernel_tunables; bool protect_kernel_modules; bool protect_kernel_logs; + bool protect_clock; bool protect_control_groups; ProtectSystem protect_system; ProtectHome protect_home; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index c1f8ac7bb24..9e622597bee 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -116,6 +116,7 @@ $1.PrivateDevices, config_parse_bool, 0, $1.ProtectKernelTunables, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_tunables) $1.ProtectKernelModules, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_modules) $1.ProtectKernelLogs, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_logs) +$1.ProtectClock, config_parse_bool, 0, offsetof($1, exec_context.protect_clock) $1.ProtectControlGroups, config_parse_bool, 0, offsetof($1, exec_context.protect_control_groups) $1.NetworkNamespacePath, config_parse_unit_path_printf, 0, offsetof($1, exec_context.network_namespace_path) $1.PrivateNetwork, config_parse_bool, 0, offsetof($1, exec_context.private_network) diff --git a/src/core/unit.c b/src/core/unit.c index c629a1a9ce0..8570eaefb4c 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4287,6 +4287,9 @@ int unit_patch_contexts(Unit *u) { if (ec->protect_kernel_logs) ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG); + if (ec->protect_clock) + ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_SYS_TIME) | (UINT64_C(1) << CAP_WAKE_ALARM)); + if (ec->dynamic_user) { if (!ec->user) { r = user_from_unit_name(u, &ec->user); @@ -4345,6 +4348,12 @@ int unit_patch_contexts(Unit *u) { if (r < 0) return r; } + + if (ec->protect_clock) { + r = cgroup_add_device_allow(cc, "char-rtc", "r"); + if (r < 0) + return r; + } } return 0; diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index 22a15493d7f..254007ef116 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -854,6 +854,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con "ProtectKernelTunables", "ProtectKernelModules", "ProtectKernelLogs", + "ProtectClock", "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", -- 2.39.5