|
 |
984f77 |
From 65d64ba146c30a5f205b650381f331fd8db2eb22 Mon Sep 17 00:00:00 2001
|
|
|
984f77 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
984f77 |
Date: Fri, 21 Aug 2020 17:23:48 +0200
|
|
|
984f77 |
Subject: [PATCH] nspawn: return ENOSYS by default, EPERM for "known" calls
|
|
|
984f77 |
|
|
|
984f77 |
(cherry picked from commit 3573e032f26724949e86626eace058d006b8bf70)
|
|
|
984f77 |
|
|
|
984f77 |
Resolves: #2040247
|
|
|
984f77 |
---
|
|
|
984f77 |
src/nspawn/nspawn-seccomp.c | 20 +++++++++++++++-----
|
|
|
984f77 |
1 file changed, 15 insertions(+), 5 deletions(-)
|
|
|
984f77 |
|
|
|
984f77 |
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
|
|
|
984f77 |
index 2b4a65e875..563cda140e 100644
|
|
|
984f77 |
--- a/src/nspawn/nspawn-seccomp.c
|
|
|
984f77 |
+++ b/src/nspawn/nspawn-seccomp.c
|
|
|
984f77 |
@@ -20,7 +20,7 @@
|
|
|
984f77 |
|
|
|
984f77 |
#if HAVE_SECCOMP
|
|
|
984f77 |
|
|
|
984f77 |
-static int seccomp_add_default_syscall_filter(
|
|
|
984f77 |
+static int add_syscall_filters(
|
|
|
984f77 |
scmp_filter_ctx ctx,
|
|
|
984f77 |
uint32_t arch,
|
|
|
984f77 |
uint64_t cap_list_retain,
|
|
|
984f77 |
@@ -140,6 +140,7 @@ static int seccomp_add_default_syscall_filter(
|
|
|
984f77 |
*/
|
|
|
984f77 |
};
|
|
|
984f77 |
|
|
|
984f77 |
+ _cleanup_strv_free_ char **added = NULL;
|
|
|
984f77 |
int r;
|
|
|
984f77 |
size_t i;
|
|
|
984f77 |
char **p;
|
|
|
984f77 |
@@ -153,18 +154,25 @@ static int seccomp_add_default_syscall_filter(
|
|
|
984f77 |
SCMP_ACT_ALLOW,
|
|
|
984f77 |
syscall_blacklist,
|
|
|
984f77 |
false,
|
|
|
984f77 |
- NULL);
|
|
|
984f77 |
+ &added);
|
|
|
984f77 |
if (r < 0)
|
|
|
984f77 |
return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
|
|
|
984f77 |
}
|
|
|
984f77 |
|
|
|
984f77 |
STRV_FOREACH(p, syscall_whitelist) {
|
|
|
984f77 |
- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL);
|
|
|
984f77 |
+ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, true, &added);
|
|
|
984f77 |
if (r < 0)
|
|
|
984f77 |
log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
|
|
|
984f77 |
*p, seccomp_arch_to_string(arch));
|
|
|
984f77 |
}
|
|
|
984f77 |
|
|
|
984f77 |
+ /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
|
|
|
984f77 |
+ * syscalls. */
|
|
|
984f77 |
+ r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
|
|
|
984f77 |
+ if (r < 0)
|
|
|
984f77 |
+ log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
|
|
|
984f77 |
+ seccomp_arch_to_string(arch));
|
|
|
984f77 |
+
|
|
|
984f77 |
return 0;
|
|
|
984f77 |
}
|
|
|
984f77 |
|
|
|
984f77 |
@@ -182,11 +190,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
|
|
|
984f77 |
|
|
|
984f77 |
log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));
|
|
|
984f77 |
|
|
|
984f77 |
- r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
|
|
|
984f77 |
+ /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
|
|
|
984f77 |
+ * in the @known set, see above. */
|
|
|
984f77 |
+ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
|
|
|
984f77 |
if (r < 0)
|
|
|
984f77 |
return log_error_errno(r, "Failed to allocate seccomp object: %m");
|
|
|
984f77 |
|
|
|
984f77 |
- r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
|
|
|
984f77 |
+ r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
|
|
|
984f77 |
if (r < 0)
|
|
|
984f77 |
return r;
|
|
|
984f77 |
|