mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
seccomp: remove '@credentials' syscall set (#6958)
This removes the '@credentials' syscall set that was added in commit v234-468-gcd0ddf6f75. Most of these syscalls are so simple that we do not want to filter them. They work on the current calling process, doing only read operations, they do not have a deep kernel path. The problem may only be in 'capget' syscall since it can query arbitrary processes, and used to discover processes, however sending signal 0 to arbitrary processes can be used to discover if a process exists or not. It is unfortunate that Linux allows to query processes of different users. Lets put it now in '@process' syscall set, and later we may add it to a new '@basic-process' set that allows most basic process operations.
This commit is contained in:
parent
8502cadd4c
commit
09d3020b0a
4
NEWS
4
NEWS
@ -121,8 +121,8 @@ CHANGES WITH 235:
|
|||||||
each time the service is restarted due to Restart=, and may be
|
each time the service is restarted due to Restart=, and may be
|
||||||
queried using "systemctl show -p NRestarts …".
|
queried using "systemctl show -p NRestarts …".
|
||||||
|
|
||||||
* New system call filter groups @setuid, @credentials, @memlock,
|
* New system call filter groups @setuid, @memlock, @signal and
|
||||||
@signal and @timer have been added, for usage with SystemCallFilter=
|
@timer have been added, for usage with SystemCallFilter=
|
||||||
in unit files and the new --system-call-filter= command line option
|
in unit files and the new --system-call-filter= command line option
|
||||||
of systemd-nspawn (see above).
|
of systemd-nspawn (see above).
|
||||||
|
|
||||||
|
@ -1502,10 +1502,6 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||||||
<entry>@cpu-emulation</entry>
|
<entry>@cpu-emulation</entry>
|
||||||
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
|
||||||
<entry>@credentials</entry>
|
|
||||||
<entry>System calls for querying process credentials (<citerefentry project='man-pages'><refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>capget</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
|
||||||
</row>
|
|
||||||
<row>
|
<row>
|
||||||
<entry>@debug</entry>
|
<entry>@debug</entry>
|
||||||
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||||
|
@ -50,7 +50,6 @@ static int seccomp_add_default_syscall_filter(
|
|||||||
} whitelist[] = {
|
} whitelist[] = {
|
||||||
/* Let's use set names where we can */
|
/* Let's use set names where we can */
|
||||||
{ 0, "@basic-io" },
|
{ 0, "@basic-io" },
|
||||||
{ 0, "@credentials" },
|
|
||||||
{ 0, "@default" },
|
{ 0, "@default" },
|
||||||
{ 0, "@file-system" },
|
{ 0, "@file-system" },
|
||||||
{ 0, "@io-event" },
|
{ 0, "@io-event" },
|
||||||
@ -71,6 +70,7 @@ static int seccomp_add_default_syscall_filter(
|
|||||||
|
|
||||||
/* Plus a good set of additional syscalls which are not part of any of the groups above */
|
/* Plus a good set of additional syscalls which are not part of any of the groups above */
|
||||||
{ 0, "brk" },
|
{ 0, "brk" },
|
||||||
|
{ 0, "capget" },
|
||||||
{ 0, "capset" },
|
{ 0, "capset" },
|
||||||
{ 0, "chown" },
|
{ 0, "chown" },
|
||||||
{ 0, "chown32" },
|
{ 0, "chown32" },
|
||||||
|
@ -281,8 +281,28 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||||||
"futex\0"
|
"futex\0"
|
||||||
"get_robust_list\0"
|
"get_robust_list\0"
|
||||||
"get_thread_area\0"
|
"get_thread_area\0"
|
||||||
|
"getegid\0"
|
||||||
|
"getegid32\0"
|
||||||
|
"geteuid\0"
|
||||||
|
"geteuid32\0"
|
||||||
|
"getgid\0"
|
||||||
|
"getgid32\0"
|
||||||
|
"getgroups\0"
|
||||||
|
"getgroups32\0"
|
||||||
|
"getpgid\0"
|
||||||
|
"getpgrp\0"
|
||||||
|
"getpid\0"
|
||||||
|
"getppid\0"
|
||||||
|
"getresgid\0"
|
||||||
|
"getresgid32\0"
|
||||||
|
"getresuid\0"
|
||||||
|
"getresuid32\0"
|
||||||
"getrlimit\0" /* make sure processes can query stack size and such */
|
"getrlimit\0" /* make sure processes can query stack size and such */
|
||||||
|
"getsid\0"
|
||||||
|
"gettid\0"
|
||||||
"gettimeofday\0"
|
"gettimeofday\0"
|
||||||
|
"getuid\0"
|
||||||
|
"getuid32\0"
|
||||||
"membarrier\0"
|
"membarrier\0"
|
||||||
"nanosleep\0"
|
"nanosleep\0"
|
||||||
"pause\0"
|
"pause\0"
|
||||||
@ -333,32 +353,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||||||
"vm86\0"
|
"vm86\0"
|
||||||
"vm86old\0"
|
"vm86old\0"
|
||||||
},
|
},
|
||||||
[SYSCALL_FILTER_SET_CREDENTIALS] = {
|
|
||||||
.name = "@credentials",
|
|
||||||
.help = "Query own process credentials",
|
|
||||||
.value =
|
|
||||||
"capget\0"
|
|
||||||
"getegid\0"
|
|
||||||
"getegid32\0"
|
|
||||||
"geteuid\0"
|
|
||||||
"geteuid32\0"
|
|
||||||
"getgid\0"
|
|
||||||
"getgid32\0"
|
|
||||||
"getgroups\0"
|
|
||||||
"getgroups32\0"
|
|
||||||
"getpgid\0"
|
|
||||||
"getpgrp\0"
|
|
||||||
"getpid\0"
|
|
||||||
"getppid\0"
|
|
||||||
"getresgid\0"
|
|
||||||
"getresgid32\0"
|
|
||||||
"getresuid\0"
|
|
||||||
"getresuid32\0"
|
|
||||||
"getsid\0"
|
|
||||||
"gettid\0"
|
|
||||||
"getuid\0"
|
|
||||||
"getuid32\0"
|
|
||||||
},
|
|
||||||
[SYSCALL_FILTER_SET_DEBUG] = {
|
[SYSCALL_FILTER_SET_DEBUG] = {
|
||||||
.name = "@debug",
|
.name = "@debug",
|
||||||
.help = "Debugging, performance monitoring and tracing functionality",
|
.help = "Debugging, performance monitoring and tracing functionality",
|
||||||
@ -645,11 +639,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
|||||||
.help = "Process control, execution, namespaceing operations",
|
.help = "Process control, execution, namespaceing operations",
|
||||||
.value =
|
.value =
|
||||||
"arch_prctl\0"
|
"arch_prctl\0"
|
||||||
|
"capget\0" /* Able to query arbitrary processes */
|
||||||
"clone\0"
|
"clone\0"
|
||||||
"execveat\0"
|
"execveat\0"
|
||||||
"fork\0"
|
"fork\0"
|
||||||
"getpid\0"
|
|
||||||
"getppid\0"
|
|
||||||
"getrusage\0"
|
"getrusage\0"
|
||||||
"gettid\0"
|
"gettid\0"
|
||||||
"kill\0"
|
"kill\0"
|
||||||
|
@ -44,7 +44,6 @@ enum {
|
|||||||
SYSCALL_FILTER_SET_BASIC_IO,
|
SYSCALL_FILTER_SET_BASIC_IO,
|
||||||
SYSCALL_FILTER_SET_CLOCK,
|
SYSCALL_FILTER_SET_CLOCK,
|
||||||
SYSCALL_FILTER_SET_CPU_EMULATION,
|
SYSCALL_FILTER_SET_CPU_EMULATION,
|
||||||
SYSCALL_FILTER_SET_CREDENTIALS,
|
|
||||||
SYSCALL_FILTER_SET_DEBUG,
|
SYSCALL_FILTER_SET_DEBUG,
|
||||||
SYSCALL_FILTER_SET_FILE_SYSTEM,
|
SYSCALL_FILTER_SET_FILE_SYSTEM,
|
||||||
SYSCALL_FILTER_SET_IO_EVENT,
|
SYSCALL_FILTER_SET_IO_EVENT,
|
||||||
|
Loading…
Reference in New Issue
Block a user