From: Djalal Harouni Date: Fri, 7 Oct 2016 18:38:05 +0000 (+0200) Subject: core:sandbox: remove CAP_SYS_RAWIO on PrivateDevices=yes X-Git-Tag: v232~96^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2cd0a735470894bd2d25147442285744764633a1;p=thirdparty%2Fsystemd.git core:sandbox: remove CAP_SYS_RAWIO on PrivateDevices=yes The rawio system calls were filtered, but CAP_SYS_RAWIO allows to access raw data through /proc, ioctl and some other exotic system calls... --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3bea4976b37..c46c0f6dd88 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -946,8 +946,8 @@ /dev/port and others. This is useful to securely turn off physical device access by the executed process. Defaults to false. Enabling this option will install a system call filter to block low-level I/O system calls that are grouped in the @raw-io set, will also remove - CAP_MKNOD from the capability bounding set for the unit (see above), and set - DevicePolicy=closed (see + CAP_MKNOD and CAP_SYS_RAWIO from the capability bounding set for + the unit (see above), and set DevicePolicy=closed (see systemd.resource-control5 for details). Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for diff --git a/src/core/unit.c b/src/core/unit.c index 71f95c0b96a..67668bdc480 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -3399,7 +3399,7 @@ int unit_patch_contexts(Unit *u) { ec->no_new_privileges = true; if (ec->private_devices) - ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD); + ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO)); if (ec->protect_kernel_modules) ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);