From: Mike Gilbert <floppym@gentoo.org>
Date: Thu, 21 Jan 2021 20:23:32 +0000 (-0500)
Subject: seccomp_restrict_sxid: return ENOSYS for openat2()
X-Git-Tag: v248-rc1~244
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57353d2909e503e3e5c7e69251ba95a31e1a72ce;p=thirdparty%2Fsystemd.git

seccomp_restrict_sxid: return ENOSYS for openat2()

We reject all openat2() calls because it is currently not possible to
inspect its flags parameter via seccomp.

Fallback code is more likely to look for ENOSYS than EPERM.
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 03d039f778f..ab24baaf9e6 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -2079,10 +2079,12 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
         /* The new openat2() system call can't be filtered sensibly, since it moves the flags parameter into
          * an indirect structure. Let's block it entirely for now. That should be a reasonably OK thing to do
          * for now, since openat2() is very new and code generally needs fallback logic anyway to be
-         * compatible with kernels that are not absolutely recent. */
+         * compatible with kernels that are not absolutely recent. We would normally return EPERM for a
+         * policy check, but this isn't strictly a policy check. Instead, we return ENOSYS to force programs
+         * to call open() or openat() instead. We can properly enforce policy for those functions. */
         r = seccomp_rule_add_exact(
                         seccomp,
-                        SCMP_ACT_ERRNO(EPERM),
+                        SCMP_ACT_ERRNO(ENOSYS),
                         SCMP_SYS(openat2),
                         0);
         if (r < 0)