seccomp: add three more seccomp groups

@aio → asynchronous IO calls
@sync → msync/fsync/... and friends
@chown → changing file ownership

(Also, change @privileged to reference @chown now, instead of the
individual syscalls it contains)

diff --git a/NEWS b/NEWS
index ac6f23c37dff3018cd913dbad328c0d80538dc17..61feb4b5c3e3c287d6524b1cc1ef2aac89ee68d6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -115,8 +115,8 @@ CHANGES WITH 235:
           each time the service is restarted due to Restart=, and may be
           queried using "systemctl show -p NRestarts …".
 
-        * New system call filter groups @setuid, @memlock, @signal and
-          @timer have been added, for usage with SystemCallFilter=
+        * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
+          @signal and @timer have been added, for usage with SystemCallFilter=
           in unit files and the new --system-call-filter= command line option
           of systemd-nspawn (see above).
 

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 9c5be21053c162673e4d3456edb6e829c3908cdb..dfae0572d889f1ef06aaacf7f9ec1e8a16757f10 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1490,10 +1490,18 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
               </row>
             </thead>
             <tbody>
+              <row>
+                <entry>@aio</entry>
+                <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+              </row>
               <row>
                 <entry>@basic-io</entry>
                 <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
               </row>
+              <row>
+                <entry>@chown</entry>
+                <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+              </row>
               <row>
                 <entry>@clock</entry>
                 <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
@@ -1574,6 +1582,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
                 <entry>@swap</entry>
                 <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
               </row>
+              <row>
+                <entry>@sync</entry>
+                <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+              </row>
               <row>
                 <entry>@timer</entry>
                 <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 92d8103ad5c622ab0b458ebc677783ffea345994..1890dd8e274ecd4de695ebe642ce6cbf8fc2b010 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -49,7 +49,9 @@ static int seccomp_add_default_syscall_filter(
                 const char* name;
         } whitelist[] = {
                 /* Let's use set names where we can */
+                { 0,                  "@aio"                   },
                 { 0,                  "@basic-io"              },
+                { 0,                  "@chown"                 },
                 { 0,                  "@default"               },
                 { 0,                  "@file-system"           },
                 { 0,                  "@io-event"              },
@@ -60,6 +62,7 @@ static int seccomp_add_default_syscall_filter(
                 { 0,                  "@resources"             },
                 { 0,                  "@setuid"                },
                 { 0,                  "@signal"                },
+                { 0,                  "@sync"                  },
                 { 0,                  "@timer"                 },
 
                 /* The following four are sets we optionally enable, in case the caps have been configured for it */
@@ -72,42 +75,25 @@ static int seccomp_add_default_syscall_filter(
                 { 0,                  "brk"                    },
                 { 0,                  "capget"                 },
                 { 0,                  "capset"                 },
-                { 0,                  "chown"                  },
-                { 0,                  "chown32"                },
                 { 0,                  "copy_file_range"        },
                 { 0,                  "fadvise64"              },
                 { 0,                  "fadvise64_64"           },
-                { 0,                  "fchown"                 },
-                { 0,                  "fchown32"               },
-                { 0,                  "fchownat"               },
-                { 0,                  "fdatasync"              },
                 { 0,                  "flock"                  },
-                { 0,                  "fsync"                  },
                 { 0,                  "get_mempolicy"          },
                 { 0,                  "getcpu"                 },
                 { 0,                  "getpriority"            },
                 { 0,                  "getrandom"              },
-                { 0,                  "io_cancel"              },
-                { 0,                  "io_destroy"             },
-                { 0,                  "io_getevents"           },
-                { 0,                  "io_setup"               },
-                { 0,                  "io_submit"              },
                 { 0,                  "ioctl"                  },
                 { 0,                  "ioprio_get"             },
                 { 0,                  "kcmp"                   },
-                { 0,                  "lchown"                 },
-                { 0,                  "lchown32"               },
                 { 0,                  "madvise"                },
                 { 0,                  "mincore"                },
                 { 0,                  "mprotect"               },
                 { 0,                  "mremap"                 },
-                { 0,                  "msync"                  },
                 { 0,                  "name_to_handle_at"      },
                 { 0,                  "oldolduname"            },
                 { 0,                  "olduname"               },
                 { 0,                  "personality"            },
-                { 0,                  "preadv2"                },
-                { 0,                  "pwritev2"               },
                 { 0,                  "readahead"              },
                 { 0,                  "readdir"                },
                 { 0,                  "remap_file_pages"       },
@@ -131,9 +117,6 @@ static int seccomp_add_default_syscall_filter(
                 { 0,                  "setpgid"                },
                 { 0,                  "setsid"                 },
                 { 0,                  "splice"                 },
-                { 0,                  "sync"                   },
-                { 0,                  "sync_file_range"        },
-                { 0,                  "syncfs"                 },
                 { 0,                  "sysinfo"                },
                 { 0,                  "tee"                    },
                 { 0,                  "umask"                  },

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index a2354325d1899eb2fa29b378d8492fff6bed73c0..454c0f872a008691844d555406dc9be318573c41 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -317,6 +317,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "time\0"
                 "ugetrlimit\0"
         },
+        [SYSCALL_FILTER_SET_AIO] = {
+                .name = "@aio",
+                .help = "Asynchronous IO",
+                .value =
+                "io_cancel\0"
+                "io_destroy\0"
+                "io_getevents\0"
+                "io_setup\0"
+                "io_submit\0"
+        },
         [SYSCALL_FILTER_SET_BASIC_IO] = {
                 .name = "@basic-io",
                 .help = "Basic IO",
@@ -329,13 +339,27 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "lseek\0"
                 "pread64\0"
                 "preadv\0"
+                "preadv2\0"
                 "pwrite64\0"
                 "pwritev\0"
+                "pwritev2\0"
                 "read\0"
                 "readv\0"
                 "write\0"
                 "writev\0"
         },
+        [SYSCALL_FILTER_SET_CHOWN] = {
+                .name = "@chown",
+                .help = "Change ownership of files and directories",
+                .value =
+                "chown\0"
+                "chown32\0"
+                "fchown\0"
+                "fchown32\0"
+                "fchownat\0"
+                "lchown\0"
+                "lchown32\0"
+        },
         [SYSCALL_FILTER_SET_CLOCK] = {
                 .name = "@clock",
                 .help = "Change the system time",
@@ -600,6 +624,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@privileged",
                 .help = "All system calls which need super-user capabilities",
                 .value =
+                "@chown\0"
                 "@clock\0"
                 "@module\0"
                 "@raw-io\0"
@@ -607,16 +632,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "acct\0"
                 "bpf\0"
                 "capset\0"
-                "chown\0"
-                "chown32\0"
                 "chroot\0"
-                "fchown\0"
-                "fchown32\0"
-                "fchownat\0"
                 "kexec_file_load\0"
                 "kexec_load\0"
-                "lchown\0"
-                "lchown32\0"
                 "nfsservctl\0"
                 "pivot_root\0"
                 "quotactl\0"
@@ -746,6 +764,17 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "swapoff\0"
                 "swapon\0"
         },
+        [SYSCALL_FILTER_SET_SYNC] = {
+                .name = "@sync",
+                .help = "Synchronize files and memory to storage",
+                .value =
+                "fdatasync\0"
+                "fsync\0"
+                "msync\0"
+                "sync\0"
+                "sync_file_range\0"
+                "syncfs\0"
+        },
         [SYSCALL_FILTER_SET_TIMER] = {
                 .name = "@timer",
                 .help = "Schedule operations by time",

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 25ca9bcaa037b0e1080ab28906f0de2e2c70d5a9..6dfa465ef33a62bd69a3cdfbccdf3943ecc1e68b 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -41,7 +41,9 @@ typedef struct SyscallFilterSet {
 enum {
         /* Please leave DEFAULT first, but sort the rest alphabetically */
         SYSCALL_FILTER_SET_DEFAULT,
+        SYSCALL_FILTER_SET_AIO,
         SYSCALL_FILTER_SET_BASIC_IO,
+        SYSCALL_FILTER_SET_CHOWN,
         SYSCALL_FILTER_SET_CLOCK,
         SYSCALL_FILTER_SET_CPU_EMULATION,
         SYSCALL_FILTER_SET_DEBUG,
@@ -62,6 +64,7 @@ enum {
         SYSCALL_FILTER_SET_SETUID,
         SYSCALL_FILTER_SET_SIGNAL,
         SYSCALL_FILTER_SET_SWAP,
+        SYSCALL_FILTER_SET_SYNC,
         SYSCALL_FILTER_SET_TIMER,
         _SYSCALL_FILTER_SET_MAX
 };