|
|
b677e7 |
From e706f5df66b7189a7df526aeeb45c86b8c4b057a Mon Sep 17 00:00:00 2001
|
|
|
b677e7 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
b677e7 |
Date: Mon, 2 Nov 2020 14:51:10 +0100
|
|
|
b677e7 |
Subject: [PATCH] seccomp: allow turning off of seccomp filtering via env var
|
|
|
b677e7 |
|
|
|
b677e7 |
Fixes: #17504
|
|
|
b677e7 |
|
|
|
b677e7 |
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
|
|
|
b677e7 |
into the right document section)
|
|
|
b677e7 |
|
|
|
b677e7 |
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
|
|
|
b677e7 |
|
|
|
b677e7 |
(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
|
|
|
b677e7 |
|
|
|
b677e7 |
Resolves: #1916835
|
|
|
b677e7 |
---
|
|
|
b677e7 |
doc/ENVIRONMENT.md | 3 +++
|
|
|
b677e7 |
src/nspawn/nspawn-seccomp.c | 2 +-
|
|
|
b677e7 |
src/shared/seccomp-util.c | 19 +++++++++++++++----
|
|
|
b677e7 |
3 files changed, 19 insertions(+), 5 deletions(-)
|
|
|
b677e7 |
|
|
|
b677e7 |
diff --git a/doc/ENVIRONMENT.md b/doc/ENVIRONMENT.md
|
|
|
b677e7 |
index 0e763b6302..36b649afe1 100644
|
|
|
b677e7 |
--- a/doc/ENVIRONMENT.md
|
|
|
b677e7 |
+++ b/doc/ENVIRONMENT.md
|
|
|
b677e7 |
@@ -117,3 +117,6 @@ systemd-sulogin-shell:
|
|
|
b677e7 |
* `$SYSTEMD_SULOGIN_FORCE=1` — This skips asking for the root password if the
|
|
|
b677e7 |
root password is not available (such as when the root account is locked).
|
|
|
b677e7 |
See `sulogin(8)` for more details.
|
|
|
b677e7 |
+
|
|
|
b677e7 |
+* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if
|
|
|
b677e7 |
+ support for it is compiled in and available in the kernel.
|
|
|
b677e7 |
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
|
|
|
b677e7 |
index b56c5b04a8..fba22644da 100644
|
|
|
b677e7 |
--- a/src/nspawn/nspawn-seccomp.c
|
|
|
b677e7 |
+++ b/src/nspawn/nspawn-seccomp.c
|
|
|
b677e7 |
@@ -172,7 +172,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
|
|
|
b677e7 |
int r;
|
|
|
b677e7 |
|
|
|
b677e7 |
if (!is_seccomp_available()) {
|
|
|
b677e7 |
- log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
|
|
|
b677e7 |
+ log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
|
|
|
b677e7 |
return 0;
|
|
|
b677e7 |
}
|
|
|
b677e7 |
|
|
|
b677e7 |
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
|
|
|
b677e7 |
index d91fb4e269..e903512d45 100644
|
|
|
b677e7 |
--- a/src/shared/seccomp-util.c
|
|
|
b677e7 |
+++ b/src/shared/seccomp-util.c
|
|
|
b677e7 |
@@ -12,6 +12,7 @@
|
|
|
b677e7 |
|
|
|
b677e7 |
#include "af-list.h"
|
|
|
b677e7 |
#include "alloc-util.h"
|
|
|
b677e7 |
+#include "env-util.h"
|
|
|
b677e7 |
#include "macro.h"
|
|
|
b677e7 |
#include "nsflags.h"
|
|
|
b677e7 |
#include "process-util.h"
|
|
|
b677e7 |
@@ -244,10 +245,20 @@ static bool is_seccomp_filter_available(void) {
|
|
|
b677e7 |
bool is_seccomp_available(void) {
|
|
|
b677e7 |
static int cached_enabled = -1;
|
|
|
b677e7 |
|
|
|
b677e7 |
- if (cached_enabled < 0)
|
|
|
b677e7 |
- cached_enabled =
|
|
|
b677e7 |
- is_basic_seccomp_available() &&
|
|
|
b677e7 |
- is_seccomp_filter_available();
|
|
|
b677e7 |
+ if (cached_enabled < 0) {
|
|
|
b677e7 |
+ int b;
|
|
|
b677e7 |
+
|
|
|
b677e7 |
+ b = getenv_bool("SYSTEMD_SECCOMP");
|
|
|
b677e7 |
+ if (b != 0) {
|
|
|
b677e7 |
+ if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
|
|
|
b677e7 |
+ log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
|
|
|
b677e7 |
+
|
|
|
b677e7 |
+ cached_enabled =
|
|
|
b677e7 |
+ is_basic_seccomp_available() &&
|
|
|
b677e7 |
+ is_seccomp_filter_available();
|
|
|
b677e7 |
+ } else
|
|
|
b677e7 |
+ cached_enabled = false;
|
|
|
b677e7 |
+ }
|
|
|
b677e7 |
|
|
|
b677e7 |
return cached_enabled;
|
|
|
b677e7 |
}
|