From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 2 Jun 2020 08:40:25 +0000 (+0200)
Subject: seccomp: filter openat2() entirely in seccomp_restrict_sxid()
X-Git-Tag: v246-rc1~214
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ecc04067f9892f6d4f7c300c34de9e2f87813ef2;p=thirdparty%2Fsystemd.git

seccomp: filter openat2() entirely in seccomp_restrict_sxid()
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 320b1767c56..6a3cfe770ca 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -2002,6 +2002,22 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
         else
                 any = true;
 
+#if defined(__SNR_openat2)
+        /* The new openat2() system call can't be filtered sensibly, since it moves the flags parameter into
+         * an indirect structure. Let's block it entirely for now. That should be a reasonably OK thing to do
+         * for now, since openat2() is very new and code generally needs fallback logic anyway to be
+         * compatible with kernels that are not absolutely recent. */
+        r = seccomp_rule_add_exact(
+                        seccomp,
+                        SCMP_ACT_ERRNO(EPERM),
+                        SCMP_SYS(openat2),
+                        0);
+        if (r < 0)
+                log_debug_errno(r, "Failed to add filter for openat2: %m");
+        else
+                any = true;
+#endif
+
         r = seccomp_rule_add_exact(
                         seccomp,
                         SCMP_ACT_ERRNO(EPERM),