]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e05ee49)
units: switch from system call blacklist to whitelist
authorLennart Poettering <lennart@poettering.net>
Thu, 19 Apr 2018 09:04:17 +0000 (11:04 +0200)
committerLennart Poettering <lennart@poettering.net>
Thu, 14 Jun 2018 15:44:20 +0000 (17:44 +0200)
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.

12 files changed:
units/systemd-coredump@.service.in patch | blob | blame | history
units/systemd-hostnamed.service.in patch | blob | blame | history
units/systemd-importd.service.in patch | blob | blame | history
units/systemd-journald.service.in patch | blob | blame | history
units/systemd-localed.service.in patch | blob | blame | history
units/systemd-logind.service.in patch | blob | blame | history
units/systemd-machined.service.in patch | blob | blame | history
units/systemd-networkd.service.in patch | blob | blame | history
units/systemd-resolved.service.in patch | blob | blame | history
units/systemd-timedated.service.in patch | blob | blame | history
units/systemd-timesyncd.service.in patch | blob | blame | history
units/systemd-udevd.service.in patch | blob | blame | history

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 68fa55c807502536966c66cc1e5c1f155bfa5cb5..215696ecd1ec216bda052b11164511a39e7d0ef9 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -33,7 +33,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 993134f3d666f40bdbe17c5a472f0119f4559e46..da74b4fe8b2ba38190572082a8d8757e1f7d6174 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service sethostname
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 8e93c2d5240ba1bb27c357129f5e0bab1aa4e187..20704a82324780d9f41ad9af8b1574caf901a7a5 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -23,6 +23,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service @mount
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index df76fe4226804be7babb3e2ca709e2847f8d746d..52939e6820b45576a1dfa93170bf88aa73ec1c3f 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index ba8a08f3b48cb073dcc2068ea312d594b4032ad3..a24e61a0cdd16f5863ea80b43615a827cc5e4670 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 168fc007b0b00865ec7853c45ee7e24d76cff57f..5e090bcf238bd4d47fa579e07f827794528b840b 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -30,7 +30,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index f9e789db426ac43586f5777afb10db8eef8eebc5..1200a90a61aa66236670274592aca37857261da5 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,7 +23,8 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service @mount
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index adb219a01d4a1a4e668f9490c25ebce5731dbe28..371ab3a9cfec866c978c854159c478a881f27af0 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -35,7 +35,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 RuntimeDirectory=systemd/netif
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 7b92735f19b0847e2d2bdb196a06f8ae1b9e6118..9982ecebffa9a049d11e8f326dc502833ca3c0bd 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 RuntimeDirectory=systemd/resolve
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index cf13e40cedcca07533afb86be401c244f6d36460..906bb4326cae9f8ab35b02ecd2258e29f1c992bb 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,7 +27,8 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service @clock
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 6bfe28627b2200b4f15039dd7565fb19c5c689df..4a490b6e1635cc15fbfc46e0cff9f6537003f756 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,7 +38,8 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RuntimeDirectory=systemd/timesync
-SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service @clock
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 StateDirectory=systemd/timesync
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 2b9fa69d9b1f530abef7115d4673c78950cc0e18..6a3814e5d92607a397b88bb55015a6be47bc75ff 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -29,6 +29,8 @@ PrivateMounts=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallFilter=@system-service @module @raw-io
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
Unnamed repository; edit this file 'description' to name the repository.