core: ProtectKernelLogs= mask kmsg in proc and sys

Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set.

diff --git a/src/core/execute.c b/src/core/execute.c
index 89c485a19a8fb5b58025ad569b002be966cd67c4..8ab4b18dc70e42abe60d2ac4bb8aeead37dff5f6 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1872,6 +1872,7 @@ static bool exec_needs_mount_namespace(
             context->protect_home != PROTECT_HOME_NO ||
             context->protect_kernel_tunables ||
             context->protect_kernel_modules ||
+            context->protect_kernel_logs ||
             context->protect_control_groups)
                 return true;
 
@@ -2507,6 +2508,7 @@ static int apply_mount_namespace(
                         .protect_control_groups = context->protect_control_groups,
                         .protect_kernel_tunables = context->protect_kernel_tunables,
                         .protect_kernel_modules = context->protect_kernel_modules,
+                        .protect_kernel_logs = context->protect_kernel_logs,
                         .protect_hostname = context->protect_hostname,
                         .mount_apivfs = context->mount_apivfs,
                         .private_mounts = context->private_mounts,

diff --git a/src/core/namespace.c b/src/core/namespace.c
index df0455b7ebd27da270d680a6375d325c870bc9cf..bbb372459b02b0a20129593de67c67e52bea2e9f 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -109,6 +109,12 @@ static const MountEntry protect_kernel_modules_table[] = {
         { "/usr/lib/modules",    INACCESSIBLE, true  },
 };
 
+/* ProtectKernelLogs= option */
+static const MountEntry protect_kernel_logs_table[] = {
+        { "/proc/kmsg",          INACCESSIBLE, true },
+        { "/dev/kmsg",           INACCESSIBLE, true },
+};
+
 /*
  * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
  * system should be protected by ProtectSystem=
@@ -1147,8 +1153,9 @@ static size_t namespace_calculate_mounts(
                 n_temporary_filesystems +
                 ns_info->private_dev +
                 (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
-                (ns_info->protect_control_groups ? 1 : 0) +
                 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
+                (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
+                (ns_info->protect_control_groups ? 1 : 0) +
                 protect_home_cnt + protect_system_cnt +
                 (ns_info->protect_hostname ? 2 : 0) +
                 (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
@@ -1319,6 +1326,12 @@ int setup_namespace(
                                 goto finish;
                 }
 
+                if (ns_info->protect_kernel_logs) {
+                        r = append_static_mounts(&m, protect_kernel_logs_table, ELEMENTSOF(protect_kernel_logs_table), ns_info->ignore_protect_paths);
+                        if (r < 0)
+                                goto finish;
+                }
+
                 if (ns_info->protect_control_groups) {
                         *(m++) = (MountEntry) {
                                 .path_const = "/sys/fs/cgroup",

diff --git a/src/core/namespace.h b/src/core/namespace.h
index e5cd8e5313a9e4ca2d8cd291543ff80e03b55da8..60a6abcd45e2573481a95c33e43ce071a4f6b60d 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -51,6 +51,7 @@ struct NamespaceInfo {
         bool protect_control_groups:1;
         bool protect_kernel_tunables:1;
         bool protect_kernel_modules:1;
+        bool protect_kernel_logs:1;
         bool mount_apivfs:1;
         bool protect_hostname:1;
 };