From 44898c535889ce31257f895c5fbcdfcfb6817bc6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 30 Sep 2017 14:34:50 +0200 Subject: [PATCH 1/3] seccomp: add three more seccomp groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @aio → asynchronous IO calls @sync → msync/fsync/... and friends @chown → changing file ownership (Also, change @privileged to reference @chown now, instead of the individual syscalls it contains) --- NEWS | 4 ++-- man/systemd.exec.xml | 12 +++++++++++ src/nspawn/nspawn-seccomp.c | 23 +++----------------- src/shared/seccomp-util.c | 43 +++++++++++++++++++++++++++++++------ src/shared/seccomp-util.h | 3 +++ 5 files changed, 56 insertions(+), 29 deletions(-) diff --git a/NEWS b/NEWS index ac6f23c37d..61feb4b5c3 100644 --- a/NEWS +++ b/NEWS @@ -115,8 +115,8 @@ CHANGES WITH 235: each time the service is restarted due to Restart=, and may be queried using "systemctl show -p NRestarts …". - * New system call filter groups @setuid, @memlock, @signal and - @timer have been added, for usage with SystemCallFilter= + * New system call filter groups @aio, @sync, @chown, @setuid, @memlock, + @signal and @timer have been added, for usage with SystemCallFilter= in unit files and the new --system-call-filter= command line option of systemd-nspawn (see above). diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 9c5be21053..dfae0572d8 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1490,10 +1490,18 @@ CapabilityBoundingSet=~CAP_B CAP_C + + @aio + Asynchronous I/O (io_setup2, io_submit2, and related calls) + @basic-io System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (read2, write2, and related calls) + + @chown + Changing file ownership (chown2, fchownat2, and related calls) + @clock System calls for changing the system clock (adjtimex2, settimeofday2, and related calls) @@ -1574,6 +1582,10 @@ CapabilityBoundingSet=~CAP_B CAP_C @swap System calls for enabling/disabling swap devices (swapon2, swapoff2) + + @sync + Synchronizing files and memory to disk: (fsync2, msync2, and related calls) + @timer System calls for scheduling operations by time (alarm2, timer_create2, …) diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 92d8103ad5..1890dd8e27 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -49,7 +49,9 @@ static int seccomp_add_default_syscall_filter( const char* name; } whitelist[] = { /* Let's use set names where we can */ + { 0, "@aio" }, { 0, "@basic-io" }, + { 0, "@chown" }, { 0, "@default" }, { 0, "@file-system" }, { 0, "@io-event" }, @@ -60,6 +62,7 @@ static int seccomp_add_default_syscall_filter( { 0, "@resources" }, { 0, "@setuid" }, { 0, "@signal" }, + { 0, "@sync" }, { 0, "@timer" }, /* The following four are sets we optionally enable, in case the caps have been configured for it */ @@ -72,42 +75,25 @@ static int seccomp_add_default_syscall_filter( { 0, "brk" }, { 0, "capget" }, { 0, "capset" }, - { 0, "chown" }, - { 0, "chown32" }, { 0, "copy_file_range" }, { 0, "fadvise64" }, { 0, "fadvise64_64" }, - { 0, "fchown" }, - { 0, "fchown32" }, - { 0, "fchownat" }, - { 0, "fdatasync" }, { 0, "flock" }, - { 0, "fsync" }, { 0, "get_mempolicy" }, { 0, "getcpu" }, { 0, "getpriority" }, { 0, "getrandom" }, - { 0, "io_cancel" }, - { 0, "io_destroy" }, - { 0, "io_getevents" }, - { 0, "io_setup" }, - { 0, "io_submit" }, { 0, "ioctl" }, { 0, "ioprio_get" }, { 0, "kcmp" }, - { 0, "lchown" }, - { 0, "lchown32" }, { 0, "madvise" }, { 0, "mincore" }, { 0, "mprotect" }, { 0, "mremap" }, - { 0, "msync" }, { 0, "name_to_handle_at" }, { 0, "oldolduname" }, { 0, "olduname" }, { 0, "personality" }, - { 0, "preadv2" }, - { 0, "pwritev2" }, { 0, "readahead" }, { 0, "readdir" }, { 0, "remap_file_pages" }, @@ -131,9 +117,6 @@ static int seccomp_add_default_syscall_filter( { 0, "setpgid" }, { 0, "setsid" }, { 0, "splice" }, - { 0, "sync" }, - { 0, "sync_file_range" }, - { 0, "syncfs" }, { 0, "sysinfo" }, { 0, "tee" }, { 0, "umask" }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index a2354325d1..454c0f872a 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -317,6 +317,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "time\0" "ugetrlimit\0" }, + [SYSCALL_FILTER_SET_AIO] = { + .name = "@aio", + .help = "Asynchronous IO", + .value = + "io_cancel\0" + "io_destroy\0" + "io_getevents\0" + "io_setup\0" + "io_submit\0" + }, [SYSCALL_FILTER_SET_BASIC_IO] = { .name = "@basic-io", .help = "Basic IO", @@ -329,13 +339,27 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "lseek\0" "pread64\0" "preadv\0" + "preadv2\0" "pwrite64\0" "pwritev\0" + "pwritev2\0" "read\0" "readv\0" "write\0" "writev\0" }, + [SYSCALL_FILTER_SET_CHOWN] = { + .name = "@chown", + .help = "Change ownership of files and directories", + .value = + "chown\0" + "chown32\0" + "fchown\0" + "fchown32\0" + "fchownat\0" + "lchown\0" + "lchown32\0" + }, [SYSCALL_FILTER_SET_CLOCK] = { .name = "@clock", .help = "Change the system time", @@ -600,6 +624,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@privileged", .help = "All system calls which need super-user capabilities", .value = + "@chown\0" "@clock\0" "@module\0" "@raw-io\0" @@ -607,16 +632,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "acct\0" "bpf\0" "capset\0" - "chown\0" - "chown32\0" "chroot\0" - "fchown\0" - "fchown32\0" - "fchownat\0" "kexec_file_load\0" "kexec_load\0" - "lchown\0" - "lchown32\0" "nfsservctl\0" "pivot_root\0" "quotactl\0" @@ -746,6 +764,17 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "swapoff\0" "swapon\0" }, + [SYSCALL_FILTER_SET_SYNC] = { + .name = "@sync", + .help = "Synchronize files and memory to storage", + .value = + "fdatasync\0" + "fsync\0" + "msync\0" + "sync\0" + "sync_file_range\0" + "syncfs\0" + }, [SYSCALL_FILTER_SET_TIMER] = { .name = "@timer", .help = "Schedule operations by time", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 25ca9bcaa0..6dfa465ef3 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -41,7 +41,9 @@ typedef struct SyscallFilterSet { enum { /* Please leave DEFAULT first, but sort the rest alphabetically */ SYSCALL_FILTER_SET_DEFAULT, + SYSCALL_FILTER_SET_AIO, SYSCALL_FILTER_SET_BASIC_IO, + SYSCALL_FILTER_SET_CHOWN, SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, @@ -62,6 +64,7 @@ enum { SYSCALL_FILTER_SET_SETUID, SYSCALL_FILTER_SET_SIGNAL, SYSCALL_FILTER_SET_SWAP, + SYSCALL_FILTER_SET_SYNC, SYSCALL_FILTER_SET_TIMER, _SYSCALL_FILTER_SET_MAX }; From e59608fa5ff2ca3bf30132bf9e1879db2d94b40a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 4 Oct 2017 21:09:52 +0200 Subject: [PATCH 2/3] seccomp: there is no "kexec" syscall it's called "kexec_load". --- src/shared/seccomp-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 454c0f872a..f053b6353e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -699,8 +699,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@reboot", .help = "Reboot and reboot preparation/kexec", .value = - "kexec\0" "kexec_file_load\0" + "kexec_load\0" "reboot\0" }, [SYSCALL_FILTER_SET_RESOURCES] = { From af0f047ba8e8334e3e3b0863025ae02f9dbd8b52 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 2 Oct 2017 09:16:50 +0200 Subject: [PATCH 3/3] seccomp: port @privileged to use @reboot + @swap Let's reuse two groups we already defined to make @privileged a bit shorter. --- src/shared/seccomp-util.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index f053b6353e..14a75bfffe 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -628,17 +628,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "@clock\0" "@module\0" "@raw-io\0" + "@reboot\0" + "@swap\0" "_sysctl\0" "acct\0" "bpf\0" "capset\0" "chroot\0" - "kexec_file_load\0" - "kexec_load\0" "nfsservctl\0" "pivot_root\0" "quotactl\0" - "reboot\0" "setdomainname\0" "setfsuid\0" "setfsuid32\0" @@ -651,8 +650,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "setreuid32\0" "setuid\0" "setuid32\0" - "swapoff\0" - "swapon\0" "vhangup\0" }, [SYSCALL_FILTER_SET_PROCESS] = {