From: Kevin Kuehler <keur@xcf.berkeley.edu>
Date: Tue, 5 Nov 2019 01:17:01 +0000 (-0800)
Subject: shared: Add ProtectKernelLogs property
X-Git-Tag: v244-rc1~47^2~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=620dbdd2489515696d53b90c061208b43b65aafa;p=thirdparty%2Fsystemd.git

shared: Add ProtectKernelLogs property

Add seccomp_protect_syslog, which adds a filter rule for the syslog
system call.
---

diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index c9f352f7960..29dd89d3c19 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -818,8 +818,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                        "PrivateDevices", "PrivateNetwork", "PrivateUsers", "PrivateMounts",
                        "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime",
                        "DynamicUser", "RemoveIPC", "ProtectKernelTunables", "ProtectKernelModules",
-                       "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality",
-                       "ProtectHostname", "RestrictSUIDSGID"))
+                       "ProtectKernelLogs", "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork",
+                       "LockPersonality", "ProtectHostname", "RestrictSUIDSGID"))
                 return bus_append_parse_boolean(m, field, eq);
 
         if (STR_IN_SET(field,
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 22110d0d731..bd4f004cc8b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1281,6 +1281,38 @@ int seccomp_protect_sysctl(void) {
         return 0;
 }
 
+int seccomp_protect_syslog(void) {
+        uint32_t arch;
+        int r;
+
+        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+
+                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+                if (r < 0)
+                        return r;
+
+                r = seccomp_rule_add_exact(
+                                seccomp,
+                                SCMP_ACT_ERRNO(EPERM),
+                                SCMP_SYS(syslog),
+                                0);
+
+                if (r < 0) {
+                        log_debug_errno(r, "Failed to add syslog() rule for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+                        continue;
+                }
+
+                r = seccomp_load(seccomp);
+                if (ERRNO_IS_SECCOMP_FATAL(r))
+                        return r;
+                if (r < 0)
+                        log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+        }
+
+        return 0;
+}
+
 int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
         uint32_t arch;
         int r;
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index b29082a4885..0b48e74a87f 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -82,6 +82,7 @@ int seccomp_parse_syscall_filter(
 int seccomp_restrict_archs(Set *archs);
 int seccomp_restrict_namespaces(unsigned long retain);
 int seccomp_protect_sysctl(void);
+int seccomp_protect_syslog(void);
 int seccomp_restrict_address_families(Set *address_families, bool whitelist);
 int seccomp_restrict_realtime(void);
 int seccomp_memory_deny_write_execute(void);