]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-seccomp.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
seccomp: add three more seccomp groups
[thirdparty/systemd.git] / src / nspawn / nspawn-seccomp.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2016 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <linux/netlink.h>
22 #include <sys/capability.h>
23 #include <sys/types.h>
24
25 #if HAVE_SECCOMP
26 #include <seccomp.h>
27 #endif
28
29 #include "alloc-util.h"
30 #include "log.h"
31 #include "nspawn-seccomp.h"
32 #if HAVE_SECCOMP
33 #include "seccomp-util.h"
34 #endif
35 #include "string-util.h"
36 #include "strv.h"
37
38 #if HAVE_SECCOMP
39
40 static int seccomp_add_default_syscall_filter(
41 scmp_filter_ctx ctx,
42 uint32_t arch,
43 uint64_t cap_list_retain,
44 char **syscall_whitelist,
45 char **syscall_blacklist) {
46
47 static const struct {
48 uint64_t capability;
49 const char* name;
50 } whitelist[] = {
51 /* Let's use set names where we can */
52 { 0, "@aio" },
53 { 0, "@basic-io" },
54 { 0, "@chown" },
55 { 0, "@default" },
56 { 0, "@file-system" },
57 { 0, "@io-event" },
58 { 0, "@ipc" },
59 { 0, "@mount" },
60 { 0, "@network-io" },
61 { 0, "@process" },
62 { 0, "@resources" },
63 { 0, "@setuid" },
64 { 0, "@signal" },
65 { 0, "@sync" },
66 { 0, "@timer" },
67
68 /* The following four are sets we optionally enable, in case the caps have been configured for it */
69 { CAP_SYS_TIME, "@clock" },
70 { CAP_SYS_MODULE, "@module" },
71 { CAP_SYS_RAWIO, "@raw-io" },
72 { CAP_IPC_LOCK, "@memlock" },
73
74 /* Plus a good set of additional syscalls which are not part of any of the groups above */
75 { 0, "brk" },
76 { 0, "capget" },
77 { 0, "capset" },
78 { 0, "copy_file_range" },
79 { 0, "fadvise64" },
80 { 0, "fadvise64_64" },
81 { 0, "flock" },
82 { 0, "get_mempolicy" },
83 { 0, "getcpu" },
84 { 0, "getpriority" },
85 { 0, "getrandom" },
86 { 0, "ioctl" },
87 { 0, "ioprio_get" },
88 { 0, "kcmp" },
89 { 0, "madvise" },
90 { 0, "mincore" },
91 { 0, "mprotect" },
92 { 0, "mremap" },
93 { 0, "name_to_handle_at" },
94 { 0, "oldolduname" },
95 { 0, "olduname" },
96 { 0, "personality" },
97 { 0, "readahead" },
98 { 0, "readdir" },
99 { 0, "remap_file_pages" },
100 { 0, "sched_get_priority_max" },
101 { 0, "sched_get_priority_min" },
102 { 0, "sched_getaffinity" },
103 { 0, "sched_getattr" },
104 { 0, "sched_getparam" },
105 { 0, "sched_getscheduler" },
106 { 0, "sched_rr_get_interval" },
107 { 0, "sched_yield" },
108 { 0, "seccomp" },
109 { 0, "sendfile" },
110 { 0, "sendfile64" },
111 { 0, "setdomainname" },
112 { 0, "setfsgid" },
113 { 0, "setfsgid32" },
114 { 0, "setfsuid" },
115 { 0, "setfsuid32" },
116 { 0, "sethostname" },
117 { 0, "setpgid" },
118 { 0, "setsid" },
119 { 0, "splice" },
120 { 0, "sysinfo" },
121 { 0, "tee" },
122 { 0, "umask" },
123 { 0, "uname" },
124 { 0, "userfaultfd" },
125 { 0, "vmsplice" },
126
127 /* The following individual syscalls are added depending on specified caps */
128 { CAP_SYS_PACCT, "acct" },
129 { CAP_SYS_PTRACE, "process_vm_readv" },
130 { CAP_SYS_PTRACE, "process_vm_writev" },
131 { CAP_SYS_PTRACE, "ptrace" },
132 { CAP_SYS_BOOT, "reboot" },
133 { CAP_SYSLOG, "syslog" },
134 { CAP_SYS_TTY_CONFIG, "vhangup" },
135
136 /*
137 * The following syscalls and groups are knowingly excluded:
138 *
139 * @cpu-emulation
140 * @keyring (NB: keyring is not namespaced!)
141 * @obsolete
142 * @swap
143 *
144 * bpf (NB: bpffs is not namespaced!)
145 * fanotify_init
146 * fanotify_mark
147 * kexec_file_load
148 * kexec_load
149 * lookup_dcookie
150 * nfsservctl
151 * open_by_handle_at
152 * perf_event_open
153 * pkey_alloc
154 * pkey_free
155 * pkey_mprotect
156 * quotactl
157 */
158 };
159
160 int r, c = 0;
161 size_t i;
162 char **p;
163
164 for (i = 0; i < ELEMENTSOF(whitelist); i++) {
165 if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
166 continue;
167
168 r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist);
169 if (r < 0)
170 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
171 log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
172 else
173 c++;
174 }
175
176 STRV_FOREACH(p, syscall_whitelist) {
177 r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist);
178 if (r < 0)
179 log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
180 else
181 c++;
182 }
183
184 return c;
185 }
186
187 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
188 uint32_t arch;
189 int r;
190
191 if (!is_seccomp_available()) {
192 log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
193 return 0;
194 }
195
196 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
197 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
198
199 log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));
200
201 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
202 if (r < 0)
203 return log_error_errno(r, "Failed to allocate seccomp object: %m");
204
205 r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
206 if (r < 0)
207 return r;
208
209 r = seccomp_load(seccomp);
210 if (IN_SET(r, -EPERM, -EACCES))
211 return log_error_errno(r, "Failed to install seccomp filter: %m");
212 if (r < 0)
213 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
214 }
215
216 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
217 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
218
219 log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));
220
221 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
222 if (r < 0)
223 return log_error_errno(r, "Failed to allocate seccomp object: %m");
224
225 /*
226 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
227 container. We don't care and just turn off creation of audit sockets.
228
229 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
230 as indication that audit is disabled in the kernel.
231 */
232
233 r = seccomp_rule_add_exact(
234 seccomp,
235 SCMP_ACT_ERRNO(EAFNOSUPPORT),
236 SCMP_SYS(socket),
237 2,
238 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
239 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
240 if (r < 0) {
241 log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
242 continue;
243 }
244
245 r = seccomp_load(seccomp);
246 if (IN_SET(r, -EPERM, -EACCES))
247 return log_error_errno(r, "Failed to install seccomp audit filter: %m");
248 if (r < 0)
249 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
250 }
251
252 return 0;
253 }
254
255 #else
256
257 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
258 return 0;
259 }
260
261 #endif
Unnamed repository; edit this file 'description' to name the repository.