b677e7
From e706f5df66b7189a7df526aeeb45c86b8c4b057a Mon Sep 17 00:00:00 2001
b677e7
From: Lennart Poettering <lennart@poettering.net>
b677e7
Date: Mon, 2 Nov 2020 14:51:10 +0100
b677e7
Subject: [PATCH] seccomp: allow turning off of seccomp filtering via env var
b677e7
b677e7
Fixes: #17504
b677e7
b677e7
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
b677e7
into the right document section)
b677e7
b677e7
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
b677e7
b677e7
(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
b677e7
b677e7
Resolves: #1916835
b677e7
---
b677e7
 doc/ENVIRONMENT.md          |  3 +++
b677e7
 src/nspawn/nspawn-seccomp.c |  2 +-
b677e7
 src/shared/seccomp-util.c   | 19 +++++++++++++++----
b677e7
 3 files changed, 19 insertions(+), 5 deletions(-)
b677e7
b677e7
diff --git a/doc/ENVIRONMENT.md b/doc/ENVIRONMENT.md
b677e7
index 0e763b6302..36b649afe1 100644
b677e7
--- a/doc/ENVIRONMENT.md
b677e7
+++ b/doc/ENVIRONMENT.md
b677e7
@@ -117,3 +117,6 @@ systemd-sulogin-shell:
b677e7
 * `$SYSTEMD_SULOGIN_FORCE=1` — This skips asking for the root password if the
b677e7
   root password is not available (such as when the root account is locked).
b677e7
   See `sulogin(8)` for more details.
b677e7
+
b677e7
+* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if
b677e7
+  support for it is compiled in and available in the kernel.
b677e7
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
b677e7
index b56c5b04a8..fba22644da 100644
b677e7
--- a/src/nspawn/nspawn-seccomp.c
b677e7
+++ b/src/nspawn/nspawn-seccomp.c
b677e7
@@ -172,7 +172,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
b677e7
         int r;
b677e7
 
b677e7
         if (!is_seccomp_available()) {
b677e7
-                log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
b677e7
+                log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
b677e7
                 return 0;
b677e7
         }
b677e7
 
b677e7
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
b677e7
index d91fb4e269..e903512d45 100644
b677e7
--- a/src/shared/seccomp-util.c
b677e7
+++ b/src/shared/seccomp-util.c
b677e7
@@ -12,6 +12,7 @@
b677e7
 
b677e7
 #include "af-list.h"
b677e7
 #include "alloc-util.h"
b677e7
+#include "env-util.h"
b677e7
 #include "macro.h"
b677e7
 #include "nsflags.h"
b677e7
 #include "process-util.h"
b677e7
@@ -244,10 +245,20 @@ static bool is_seccomp_filter_available(void) {
b677e7
 bool is_seccomp_available(void) {
b677e7
         static int cached_enabled = -1;
b677e7
 
b677e7
-        if (cached_enabled < 0)
b677e7
-                cached_enabled =
b677e7
-                        is_basic_seccomp_available() &&
b677e7
-                        is_seccomp_filter_available();
b677e7
+        if (cached_enabled < 0) {
b677e7
+                int b;
b677e7
+
b677e7
+                b = getenv_bool("SYSTEMD_SECCOMP");
b677e7
+                if (b != 0) {
b677e7
+                        if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
b677e7
+                                log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
b677e7
+
b677e7
+                        cached_enabled =
b677e7
+                                is_basic_seccomp_available() &&
b677e7
+                                is_seccomp_filter_available();
b677e7
+                } else
b677e7
+                        cached_enabled = false;
b677e7
+        }
b677e7
 
b677e7
         return cached_enabled;
b677e7
 }