This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.
Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.
The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @credentials, @memlock,
- @signal and @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @setuid, @memlock, @signal and
+ @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
<entry>@cpu-emulation</entry>
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row>
- <row>
- <entry>@credentials</entry>
- <entry>System calls for querying process credentials (<citerefentry project='man-pages'><refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>capget</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
- </row>
<row>
<entry>@debug</entry>
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
} whitelist[] = {
/* Let's use set names where we can */
{ 0, "@basic-io" },
- { 0, "@credentials" },
{ 0, "@default" },
{ 0, "@file-system" },
{ 0, "@io-event" },
/* Plus a good set of additional syscalls which are not part of any of the groups above */
{ 0, "brk" },
+ { 0, "capget" },
{ 0, "capset" },
{ 0, "chown" },
{ 0, "chown32" },
"futex\0"
"get_robust_list\0"
"get_thread_area\0"
+ "getegid\0"
+ "getegid32\0"
+ "geteuid\0"
+ "geteuid32\0"
+ "getgid\0"
+ "getgid32\0"
+ "getgroups\0"
+ "getgroups32\0"
+ "getpgid\0"
+ "getpgrp\0"
+ "getpid\0"
+ "getppid\0"
+ "getresgid\0"
+ "getresgid32\0"
+ "getresuid\0"
+ "getresuid32\0"
"getrlimit\0" /* make sure processes can query stack size and such */
+ "getsid\0"
+ "gettid\0"
"gettimeofday\0"
+ "getuid\0"
+ "getuid32\0"
"membarrier\0"
"nanosleep\0"
"pause\0"
"vm86\0"
"vm86old\0"
},
- [SYSCALL_FILTER_SET_CREDENTIALS] = {
- .name = "@credentials",
- .help = "Query own process credentials",
- .value =
- "capget\0"
- "getegid\0"
- "getegid32\0"
- "geteuid\0"
- "geteuid32\0"
- "getgid\0"
- "getgid32\0"
- "getgroups\0"
- "getgroups32\0"
- "getpgid\0"
- "getpgrp\0"
- "getpid\0"
- "getppid\0"
- "getresgid\0"
- "getresgid32\0"
- "getresuid\0"
- "getresuid32\0"
- "getsid\0"
- "gettid\0"
- "getuid\0"
- "getuid32\0"
- },
[SYSCALL_FILTER_SET_DEBUG] = {
.name = "@debug",
.help = "Debugging, performance monitoring and tracing functionality",
.help = "Process control, execution, namespaceing operations",
.value =
"arch_prctl\0"
+ "capget\0" /* Able to query arbitrary processes */
"clone\0"
"execveat\0"
"fork\0"
- "getpid\0"
- "getppid\0"
"getrusage\0"
"gettid\0"
"kill\0"
SYSCALL_FILTER_SET_BASIC_IO,
SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION,
- SYSCALL_FILTER_SET_CREDENTIALS,
SYSCALL_FILTER_SET_DEBUG,
SYSCALL_FILTER_SET_FILE_SYSTEM,
SYSCALL_FILTER_SET_IO_EVENT,