From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 9 Aug 2017 13:04:05 +0000 (+0200)
Subject: seccomp: add new @setuid seccomp group
X-Git-Tag: v235~237^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6eaaeee93a07eaa3108f99cd71d06af1adb68786;p=thirdparty%2Fsystemd.git

seccomp: add new @setuid seccomp group

This new group lists all UID/GID credential changing syscalls (which are
quite a number these days). This will become particularly useful in a
later commit, which uses this group to optionally permit user credential
changing to daemons in case ambient capabilities are not available.
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b3495c97857..f138dedacff 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1505,6 +1505,10 @@
                 <entry>@resources</entry>
                 <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
               </row>
+              <row>
+                <entry>@setuid</entry>
+                <entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
+              </row>
               <row>
                 <entry>@swap</entry>
                 <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 147b1b2ab2e..e80d98ea0c4 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -639,6 +639,25 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "sched_setattr\0"
                 "prlimit64\0"
         },
+        [SYSCALL_FILTER_SET_SETUID] = {
+                .name = "@setuid",
+                .help = "Operations for changing user/group credentials",
+                .value =
+                "setgid32\0"
+                "setgid\0"
+                "setgroups32\0"
+                "setgroups\0"
+                "setregid32\0"
+                "setregid\0"
+                "setresgid32\0"
+                "setresgid\0"
+                "setresuid32\0"
+                "setresuid\0"
+                "setreuid32\0"
+                "setreuid\0"
+                "setuid32\0"
+                "setuid\0"
+        },
         [SYSCALL_FILTER_SET_SWAP] = {
                 .name = "@swap",
                 .help = "Enable/disable swap devices",
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 596539e8f55..f6b68894601 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -58,6 +58,7 @@ enum {
         SYSCALL_FILTER_SET_RAW_IO,
         SYSCALL_FILTER_SET_REBOOT,
         SYSCALL_FILTER_SET_RESOURCES,
+        SYSCALL_FILTER_SET_SETUID,
         SYSCALL_FILTER_SET_SWAP,
         _SYSCALL_FILTER_SET_MAX
 };