seccomp: drop mincore() from @system-service syscall filter group

Previously, this system call was included in @system-service since it is
a "getter" only, i.e. only queries information, and doesn't change
anything, and hence was considered not risky.

However, as it turns out, mincore() is actually security sensitive, see
the discussion here:

https://lwn.net/Articles/776034/

Hence, let's adjust the system call filter and drop mincore() from it.

This constitues a compatibility break to some level, however I presume
we can get away with this as the systemcall is pretty exotic. The fact
that it is pretty exotic is also reflected by the fact that the kernel
intends to majorly change behaviour of the system call soon (see the
linked LWN article)

diff --git a/NEWS b/NEWS
index c64ef5871b46bc755b4ed13dd2c456f8698d23cd..c76b571d2baf10a942a5459991b3e7b554331571 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ CHANGES WITH 241 in spe:
         * kernel-install script now optionally takes a path to an initrd file,
           and passes it to all plugins.
 
+        * The mincore() system call has been dropped from the @system-service
+          system call filter group, as it is pretty exotic and may potentially
+          used for side-channel attacks.
+
         * -fPIE is dropped from compiler and linker options. Please specify
           -Db_pie=true option to meson to build position-independent
           executables. Note that the meson option is supported since meson-0.49.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 42d6dd2a94342ba4d7f7cb17e568cea2bda39f85..cc58b3c07879d4bb0d7fd143e239c4bbd49bd96e 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -793,7 +793,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "ioprio_get\0"
                 "kcmp\0"
                 "madvise\0"
-                "mincore\0"
                 "mprotect\0"
                 "mremap\0"
                 "name_to_handle_at\0"