diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-02 14:51:10 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-11-05 20:22:19 +0100 |
| commit | ce8f6d478e3f6c6a313fb19615aa5029bb18f86d (patch) | |
| tree | bd4d5d5c89d8f1a21ee734bd9d95c0192336ea84 | |
| parent | update TODO (diff) | |
| download | systemd-ce8f6d478e3f6c6a313fb19615aa5029bb18f86d.tar.xz systemd-ce8f6d478e3f6c6a313fb19615aa5029bb18f86d.zip | |
seccomp: allow turning off of seccomp filtering via env var
Fixes: #17504
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
into the right document section)
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
| -rw-r--r-- | docs/ENVIRONMENT.md | 11 | ||||
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 2 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 18 |
3 files changed, 22 insertions, 9 deletions
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index 38752c9169..74a71bba93 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -83,6 +83,13 @@ All tools: * `$SYSTEMD_RDRAND=0` — if set, the RDRAND instruction will never be used, even if the CPU supports it. +* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if + support for it is compiled in and available in the kernel. + +* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering, + for example in systemd-nspawn, will be logged to the audit log, if the current + kernel version supports this. + systemctl: * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus @@ -93,10 +100,6 @@ systemctl: * `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks. -* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering, - for example in systemd-nspawn, will be logged to the audit log, if the current - kernel version supports this. - systemd-nspawn: * `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 1ab50553a9..76f2bfe77e 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -186,7 +186,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy int r; if (!is_seccomp_available()) { - log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering"); + log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering"); return 0; } diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 8475924297..f6a8e4963d 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -259,10 +259,20 @@ static bool is_seccomp_filter_available(void) { bool is_seccomp_available(void) { static int cached_enabled = -1; - if (cached_enabled < 0) - cached_enabled = - is_basic_seccomp_available() && - is_seccomp_filter_available(); + if (cached_enabled < 0) { + int b; + + b = getenv_bool_secure("SYSTEMD_SECCOMP"); + if (b != 0) { + if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */ + log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring."); + + cached_enabled = + is_basic_seccomp_available() && + is_seccomp_filter_available(); + } else + cached_enabled = false; + } return cached_enabled; } |