From: Lennart Poettering Date: Thu, 19 Apr 2018 09:04:17 +0000 (+0200) Subject: units: switch from system call blacklist to whitelist X-Git-Tag: v239~48^2~2 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=commitdiff_plain;h=ee8f26180d01e3ddd4e5f20b03b81e5e737657ae units: switch from system call blacklist to whitelist This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything. --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 68fa55c8075..215696ecd1e 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -33,7 +33,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 993134f3d66..da74b4fe8b2 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service sethostname +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 8e93c2d5240..20704a82324 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -23,6 +23,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=net RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service @mount +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index df76fe42268..52939e6820b 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index ba8a08f3b48..a24e61a0cdd 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -29,7 +29,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 168fc007b0b..5e090bcf238 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -30,7 +30,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index f9e789db426..1200a90a61a 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -23,7 +23,8 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service @mount +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index adb219a01d4..371ab3a9cfe 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -35,7 +35,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes RuntimeDirectory=systemd/netif diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 7b92735f19b..9982ecebffa 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -38,7 +38,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes RuntimeDirectory=systemd/resolve diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index cf13e40cedc..906bb4326ca 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -27,7 +27,8 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service @clock +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 6bfe28627b2..4a490b6e163 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -38,7 +38,8 @@ RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RuntimeDirectory=systemd/timesync -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallFilter=@system-service @clock +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes StateDirectory=systemd/timesync diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 2b9fa69d9b1..6a3814e5d92 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -29,6 +29,8 @@ PrivateMounts=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +SystemCallFilter=@system-service @module @raw-io +SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any