1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

seccomp: remove '@credentials' syscall set (#6958)

This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.

Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.

The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
This commit is contained in:
Djalal Harouni 2017-10-03 07:20:05 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent 8502cadd4c
commit 09d3020b0a
5 changed files with 24 additions and 36 deletions

4
NEWS
View File

@ -121,8 +121,8 @@ CHANGES WITH 235:
each time the service is restarted due to Restart=, and may be each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …". queried using "systemctl show -p NRestarts …".
* New system call filter groups @setuid, @credentials, @memlock, * New system call filter groups @setuid, @memlock, @signal and
@signal and @timer have been added, for usage with SystemCallFilter= @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above). of systemd-nspawn (see above).

View File

@ -1502,10 +1502,6 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<entry>@cpu-emulation</entry> <entry>@cpu-emulation</entry>
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row> </row>
<row>
<entry>@credentials</entry>
<entry>System calls for querying process credentials (<citerefentry project='man-pages'><refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>capget</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row>
<row> <row>
<entry>@debug</entry> <entry>@debug</entry>
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>

View File

@ -50,7 +50,6 @@ static int seccomp_add_default_syscall_filter(
} whitelist[] = { } whitelist[] = {
/* Let's use set names where we can */ /* Let's use set names where we can */
{ 0, "@basic-io" }, { 0, "@basic-io" },
{ 0, "@credentials" },
{ 0, "@default" }, { 0, "@default" },
{ 0, "@file-system" }, { 0, "@file-system" },
{ 0, "@io-event" }, { 0, "@io-event" },
@ -71,6 +70,7 @@ static int seccomp_add_default_syscall_filter(
/* Plus a good set of additional syscalls which are not part of any of the groups above */ /* Plus a good set of additional syscalls which are not part of any of the groups above */
{ 0, "brk" }, { 0, "brk" },
{ 0, "capget" },
{ 0, "capset" }, { 0, "capset" },
{ 0, "chown" }, { 0, "chown" },
{ 0, "chown32" }, { 0, "chown32" },

View File

@ -281,8 +281,28 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"futex\0" "futex\0"
"get_robust_list\0" "get_robust_list\0"
"get_thread_area\0" "get_thread_area\0"
"getegid\0"
"getegid32\0"
"geteuid\0"
"geteuid32\0"
"getgid\0"
"getgid32\0"
"getgroups\0"
"getgroups32\0"
"getpgid\0"
"getpgrp\0"
"getpid\0"
"getppid\0"
"getresgid\0"
"getresgid32\0"
"getresuid\0"
"getresuid32\0"
"getrlimit\0" /* make sure processes can query stack size and such */ "getrlimit\0" /* make sure processes can query stack size and such */
"getsid\0"
"gettid\0"
"gettimeofday\0" "gettimeofday\0"
"getuid\0"
"getuid32\0"
"membarrier\0" "membarrier\0"
"nanosleep\0" "nanosleep\0"
"pause\0" "pause\0"
@ -333,32 +353,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"vm86\0" "vm86\0"
"vm86old\0" "vm86old\0"
}, },
[SYSCALL_FILTER_SET_CREDENTIALS] = {
.name = "@credentials",
.help = "Query own process credentials",
.value =
"capget\0"
"getegid\0"
"getegid32\0"
"geteuid\0"
"geteuid32\0"
"getgid\0"
"getgid32\0"
"getgroups\0"
"getgroups32\0"
"getpgid\0"
"getpgrp\0"
"getpid\0"
"getppid\0"
"getresgid\0"
"getresgid32\0"
"getresuid\0"
"getresuid32\0"
"getsid\0"
"gettid\0"
"getuid\0"
"getuid32\0"
},
[SYSCALL_FILTER_SET_DEBUG] = { [SYSCALL_FILTER_SET_DEBUG] = {
.name = "@debug", .name = "@debug",
.help = "Debugging, performance monitoring and tracing functionality", .help = "Debugging, performance monitoring and tracing functionality",
@ -645,11 +639,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.help = "Process control, execution, namespaceing operations", .help = "Process control, execution, namespaceing operations",
.value = .value =
"arch_prctl\0" "arch_prctl\0"
"capget\0" /* Able to query arbitrary processes */
"clone\0" "clone\0"
"execveat\0" "execveat\0"
"fork\0" "fork\0"
"getpid\0"
"getppid\0"
"getrusage\0" "getrusage\0"
"gettid\0" "gettid\0"
"kill\0" "kill\0"

View File

@ -44,7 +44,6 @@ enum {
SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_BASIC_IO,
SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CLOCK,
SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_CPU_EMULATION,
SYSCALL_FILTER_SET_CREDENTIALS,
SYSCALL_FILTER_SET_DEBUG, SYSCALL_FILTER_SET_DEBUG,
SYSCALL_FILTER_SET_FILE_SYSTEM, SYSCALL_FILTER_SET_FILE_SYSTEM,
SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_IO_EVENT,