diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-10-05 22:06:39 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-05 22:06:39 +0200 |
| commit | 082827e6c6ca6272473450a8c1390dfc6054be78 (patch) | |
| tree | 6c4314cdd306e9e01e2148fea40046fc124683f4 | |
| parent | Merge pull request #7008 from poettering/sorevision235 (diff) | |
| parent | seccomp: port @privileged to use @reboot + @swap (diff) | |
| download | systemd-082827e6c6ca6272473450a8c1390dfc6054be78.tar.xz systemd-082827e6c6ca6272473450a8c1390dfc6054be78.zip | |
Merge pull request #6999 from poettering/seccomp-newgroups
add three new syscall groups, and port @privileged to make use of more existing ones
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 12 | ||||
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 23 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 52 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 3 |
5 files changed, 59 insertions, 35 deletions
@@ -118,8 +118,8 @@ CHANGES WITH 235: each time the service is restarted due to Restart=, and may be queried using "systemctl show -p NRestarts …". - * New system call filter groups @setuid, @memlock, @signal and - @timer have been added, for usage with SystemCallFilter= + * New system call filter groups @aio, @sync, @chown, @setuid, @memlock, + @signal and @timer have been added, for usage with SystemCallFilter= in unit files and the new --system-call-filter= command line option of systemd-nspawn (see above). diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 9c5be21053..dfae0572d8 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1491,10 +1491,18 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> </thead> <tbody> <row> + <entry>@aio</entry> + <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> <entry>@basic-io</entry> <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> </row> <row> + <entry>@chown</entry> + <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> <entry>@clock</entry> <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> </row> @@ -1575,6 +1583,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> </row> <row> + <entry>@sync</entry> + <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> <entry>@timer</entry> <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> </row> diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 92d8103ad5..1890dd8e27 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -49,7 +49,9 @@ static int seccomp_add_default_syscall_filter( const char* name; } whitelist[] = { /* Let's use set names where we can */ + { 0, "@aio" }, { 0, "@basic-io" }, + { 0, "@chown" }, { 0, "@default" }, { 0, "@file-system" }, { 0, "@io-event" }, @@ -60,6 +62,7 @@ static int seccomp_add_default_syscall_filter( { 0, "@resources" }, { 0, "@setuid" }, { 0, "@signal" }, + { 0, "@sync" }, { 0, "@timer" }, /* The following four are sets we optionally enable, in case the caps have been configured for it */ @@ -72,42 +75,25 @@ static int seccomp_add_default_syscall_filter( { 0, "brk" }, { 0, "capget" }, { 0, "capset" }, - { 0, "chown" }, - { 0, "chown32" }, { 0, "copy_file_range" }, { 0, "fadvise64" }, { 0, "fadvise64_64" }, - { 0, "fchown" }, - { 0, "fchown32" }, - { 0, "fchownat" }, - { 0, "fdatasync" }, { 0, "flock" }, - { 0, "fsync" }, { 0, "get_mempolicy" }, { 0, "getcpu" }, { 0, "getpriority" }, { 0, "getrandom" }, - { 0, "io_cancel" }, - { 0, "io_destroy" }, - { 0, "io_getevents" }, - { 0, "io_setup" }, - { 0, "io_submit" }, { 0, "ioctl" }, { 0, "ioprio_get" }, { 0, "kcmp" }, - { 0, "lchown" }, - { 0, "lchown32" }, { 0, "madvise" }, { 0, "mincore" }, { 0, "mprotect" }, { 0, "mremap" }, - { 0, "msync" }, { 0, "name_to_handle_at" }, { 0, "oldolduname" }, { 0, "olduname" }, { 0, "personality" }, - { 0, "preadv2" }, - { 0, "pwritev2" }, { 0, "readahead" }, { 0, "readdir" }, { 0, "remap_file_pages" }, @@ -131,9 +117,6 @@ static int seccomp_add_default_syscall_filter( { 0, "setpgid" }, { 0, "setsid" }, { 0, "splice" }, - { 0, "sync" }, - { 0, "sync_file_range" }, - { 0, "syncfs" }, { 0, "sysinfo" }, { 0, "tee" }, { 0, "umask" }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index a2354325d1..14a75bfffe 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -317,6 +317,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "time\0" "ugetrlimit\0" }, + [SYSCALL_FILTER_SET_AIO] = { + .name = "@aio", + .help = "Asynchronous IO", + .value = + "io_cancel\0" + "io_destroy\0" + "io_getevents\0" + "io_setup\0" + "io_submit\0" + }, [SYSCALL_FILTER_SET_BASIC_IO] = { .name = "@basic-io", .help = "Basic IO", @@ -329,13 +339,27 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "lseek\0" "pread64\0" "preadv\0" + "preadv2\0" "pwrite64\0" "pwritev\0" + "pwritev2\0" "read\0" "readv\0" "write\0" "writev\0" }, + [SYSCALL_FILTER_SET_CHOWN] = { + .name = "@chown", + .help = "Change ownership of files and directories", + .value = + "chown\0" + "chown32\0" + "fchown\0" + "fchown32\0" + "fchownat\0" + "lchown\0" + "lchown32\0" + }, [SYSCALL_FILTER_SET_CLOCK] = { .name = "@clock", .help = "Change the system time", @@ -600,27 +624,20 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@privileged", .help = "All system calls which need super-user capabilities", .value = + "@chown\0" "@clock\0" "@module\0" "@raw-io\0" + "@reboot\0" + "@swap\0" "_sysctl\0" "acct\0" "bpf\0" "capset\0" - "chown\0" - "chown32\0" "chroot\0" - "fchown\0" - "fchown32\0" - "fchownat\0" - "kexec_file_load\0" - "kexec_load\0" - "lchown\0" - "lchown32\0" "nfsservctl\0" "pivot_root\0" "quotactl\0" - "reboot\0" "setdomainname\0" "setfsuid\0" "setfsuid32\0" @@ -633,8 +650,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "setreuid32\0" "setuid\0" "setuid32\0" - "swapoff\0" - "swapon\0" "vhangup\0" }, [SYSCALL_FILTER_SET_PROCESS] = { @@ -681,8 +696,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@reboot", .help = "Reboot and reboot preparation/kexec", .value = - "kexec\0" "kexec_file_load\0" + "kexec_load\0" "reboot\0" }, [SYSCALL_FILTER_SET_RESOURCES] = { @@ -746,6 +761,17 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "swapoff\0" "swapon\0" }, + [SYSCALL_FILTER_SET_SYNC] = { + .name = "@sync", + .help = "Synchronize files and memory to storage", + .value = + "fdatasync\0" + "fsync\0" + "msync\0" + "sync\0" + "sync_file_range\0" + "syncfs\0" + }, [SYSCALL_FILTER_SET_TIMER] = { .name = "@timer", .help = "Schedule operations by time", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 25ca9bcaa0..6dfa465ef3 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -41,7 +41,9 @@ typedef struct SyscallFilterSet { enum { /* Please leave DEFAULT first, but sort the rest alphabetically */ SYSCALL_FILTER_SET_DEFAULT, + SYSCALL_FILTER_SET_AIO, SYSCALL_FILTER_SET_BASIC_IO, + SYSCALL_FILTER_SET_CHOWN, SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, @@ -62,6 +64,7 @@ enum { SYSCALL_FILTER_SET_SETUID, SYSCALL_FILTER_SET_SIGNAL, SYSCALL_FILTER_SET_SWAP, + SYSCALL_FILTER_SET_SYNC, SYSCALL_FILTER_SET_TIMER, _SYSCALL_FILTER_SET_MAX }; |