From: Kevin Kuehler Date: Tue, 5 Nov 2019 01:18:42 +0000 (-0800) Subject: core: Add ProtectKernelLogs X-Git-Tag: v244-rc1~47^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84703040186de5b4b90f5c41fe4db7f7a5ada05e;p=thirdparty%2Fsystemd.git core: Add ProtectKernelLogs If seccomp is enabled, load the SYSCALL_FILTER_SET_SYSLOG into the seccomp filter set. Drop the CAP_SYSLOG capability. --- diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 185fc6a3683..13ff6f489ad 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -783,6 +783,7 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectKernelTunables", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_tunables), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectKernelModules", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_modules), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("ProtectKernelLogs", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_logs), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectControlGroups", "b", bus_property_get_bool, offsetof(ExecContext, protect_control_groups), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PrivateUsers", "b", bus_property_get_bool, offsetof(ExecContext, private_users), SD_BUS_VTABLE_PROPERTY_CONST), @@ -1274,6 +1275,9 @@ int bus_exec_context_set_transient_property( if (streq(name, "ProtectKernelModules")) return bus_set_transient_bool(u, name, &c->protect_kernel_modules, message, flags, error); + if (streq(name, "ProtectKernelLogs")) + return bus_set_transient_bool(u, name, &c->protect_kernel_logs, message, flags, error); + if (streq(name, "ProtectControlGroups")) return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error); diff --git a/src/core/execute.c b/src/core/execute.c index 1c22c3d80ed..89c485a19a8 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1396,6 +1396,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) { exec_context_restrict_namespaces_set(c) || c->protect_kernel_tunables || c->protect_kernel_modules || + c->protect_kernel_logs || c->private_devices || context_has_syscall_filters(c) || !set_isempty(c->syscall_archs) || @@ -1542,6 +1543,19 @@ static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) { return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false); } +static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) { + assert(u); + assert(c); + + if (!c->protect_kernel_logs) + return 0; + + if (skip_seccomp_unavailable(u, "ProtectKernelLogs=")) + return 0; + + return seccomp_protect_syslog(); +} + static int apply_private_devices(const Unit *u, const ExecContext *c) { assert(u); assert(c); @@ -3679,6 +3693,12 @@ static int exec_child( return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m"); } + r = apply_protect_kernel_logs(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; + return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m"); + } + r = apply_private_devices(unit, context); if (r < 0) { *exit_status = EXIT_SECCOMP; @@ -4318,6 +4338,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { "%sPrivateDevices: %s\n" "%sProtectKernelTunables: %s\n" "%sProtectKernelModules: %s\n" + "%sProtectKernelLogs: %s\n" "%sProtectControlGroups: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateUsers: %s\n" @@ -4338,6 +4359,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_devices), prefix, yes_no(c->protect_kernel_tunables), prefix, yes_no(c->protect_kernel_modules), + prefix, yes_no(c->protect_kernel_logs), prefix, yes_no(c->protect_control_groups), prefix, yes_no(c->private_network), prefix, yes_no(c->private_users), diff --git a/src/core/execute.h b/src/core/execute.h index 2508c6d6687..c923b1fa213 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -257,6 +257,7 @@ struct ExecContext { bool private_mounts; bool protect_kernel_tunables; bool protect_kernel_modules; + bool protect_kernel_logs; bool protect_control_groups; ProtectSystem protect_system; ProtectHome protect_home; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 58c1970d057..42fc4eaac9d 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -115,6 +115,7 @@ $1.PrivateTmp, config_parse_bool, 0, $1.PrivateDevices, config_parse_bool, 0, offsetof($1, exec_context.private_devices) $1.ProtectKernelTunables, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_tunables) $1.ProtectKernelModules, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_modules) +$1.ProtectKernelLogs, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_logs) $1.ProtectControlGroups, config_parse_bool, 0, offsetof($1, exec_context.protect_control_groups) $1.NetworkNamespacePath, config_parse_unit_path_printf, 0, offsetof($1, exec_context.network_namespace_path) $1.PrivateNetwork, config_parse_bool, 0, offsetof($1, exec_context.private_network) diff --git a/src/core/unit.c b/src/core/unit.c index 5f2ca447015..c2722a15da2 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4269,6 +4269,9 @@ int unit_patch_contexts(Unit *u) { if (ec->protect_kernel_modules) ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE); + if (ec->protect_kernel_logs) + ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG); + if (ec->dynamic_user) { if (!ec->user) { r = user_from_unit_name(u, &ec->user);