shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Code

man: note that cgroup-based sandboxing is not bypassed by '+'

Browse Source 
DeviceAllow= and others are applied to the whole cgroup via bpf, so
using '+' on an Exec line will not bypass them. Explain this in the
manpage.

Fixes https://github.com/systemd/systemd/issues/26035
This commit is contained in:
Luca Boccassi 2023-01-15 18:54:16 +00:00 committed by Luca Boccassi
parent db5310cfc1
commit f2af682cd6
4 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
man/cgroup-sandboxing.xml Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1-or-later
-->
<refsect1>
<para id="singular">This option cannot be bypassed by prefixing <literal>+</literal> to the executable path
in the service unit, as it applies to the whole control group.</para>
<para id="plural">These options cannot be bypassed by prefixing <literal>+</literal> to the executable path
in the service unit, as it applies to the whole control group.</para>
</refsect1>

4
man/systemd.exec.xml
View File

@ -2007,7 +2007,9 @@ RestrictFileSystems=ext4</programlisting>
<para>Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is <para>Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is
not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting
has no effect.</para></listitem> has no effect.</para>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

9
man/systemd.resource-control.xml
View File

@ -638,6 +638,8 @@
support is not enabled in the underlying kernel or container manager). These settings will have no effect in support is not enabled in the underlying kernel or container manager). These settings will have no effect in
that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on
them for IP security.</para> them for IP security.</para>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -814,6 +816,8 @@ SocketBindDeny=any
SocketBindAllow=ipv4:udp:10000-65535 SocketBindAllow=ipv4:udp:10000-65535
SocketBindDeny=any SocketBindDeny=any
</programlisting></para> </programlisting></para>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -860,6 +864,8 @@ RestrictNetworkInterfaces=eth1 eth2
RestrictNetworkInterfaces=~eth1</programlisting> RestrictNetworkInterfaces=~eth1</programlisting>
Programs in the unit will be only able to use the eth2 network interface. Programs in the unit will be only able to use the eth2 network interface.
</para> </para>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -912,6 +918,7 @@ DeviceAllow=block-loop
DeviceAllow=/dev/loop-control DeviceAllow=/dev/loop-control
</programlisting></para> </programlisting></para>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -956,6 +963,8 @@ DeviceAllow=/dev/loop-control
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
man/systemd.service.xml
View File

@ -406,7 +406,7 @@
<row> <row>
<entry><literal>+</literal></entry> <entry><literal>+</literal></entry>
<entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines).</entry> <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
</row> </row>
<row> <row>