shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00
Code

exec: imply NoNewPriviliges= only when seccomp filters are used in user mode

Browse Source
This commit is contained in:
Lennart Poettering 2014-02-26 02:28:52 +01:00
parent 9c423fbf2a
commit f513e420c8
3 changed files with 46 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
man/systemd.exec.xml
View File

@ -1010,8 +1010,8 @@
<varlistentry> <varlistentry>
<term><varname>SystemCallFilter=</varname></term> <term><varname>SystemCallFilter=</varname></term>
<listitem><para>Takes a space-separated <listitem><para>Takes a
list of system call space-separated list of system call
names. If this setting is used, all names. If this setting is used, all
system calls executed by the unit system calls executed by the unit
processes except for the listed ones processes except for the listed ones
@ -1023,12 +1023,13 @@
the effect is inverted: only the the effect is inverted: only the
listed system calls will result in listed system calls will result in
immediate process termination immediate process termination
(blacklisting). If this option is used, (blacklisting). If running in user
mode and this option is used,
<varname>NoNewPrivileges=yes</varname> <varname>NoNewPrivileges=yes</varname>
is implied. This feature makes use of is implied. This feature makes use of the
the Secure Computing Mode 2 interfaces Secure Computing Mode 2 interfaces of
of the kernel ('seccomp filtering') the kernel ('seccomp filtering') and
and is useful for enforcing a minimal is useful for enforcing a minimal
sandboxing environment. Note that the sandboxing environment. Note that the
<function>execve</function>, <function>execve</function>,
<function>rt_sigreturn</function>, <function>rt_sigreturn</function>,
@ -1096,28 +1097,31 @@
<constant>x86</constant>, <constant>x86</constant>,
<constant>x86-64</constant>, <constant>x86-64</constant>,
<constant>x32</constant>, <constant>x32</constant>,
<constant>arm</constant> as well as the <constant>arm</constant> as well as
special identifier the special identifier
<constant>native</constant>. Only system <constant>native</constant>. Only
calls of the specified architectures system calls of the specified
will be permitted to processes of this architectures will be permitted to
unit. This is an effective way to processes of this unit. This is an
disable compatibility with non-native effective way to disable compatibility
architectures for processes, for with non-native architectures for
example to prohibit execution of processes, for example to prohibit
32-bit x86 binaries on 64-bit x86-64 execution of 32-bit x86 binaries on
systems. The special 64-bit x86-64 systems. The special
<constant>native</constant> identifier <constant>native</constant> identifier
implicitly maps to the native implicitly maps to the native
architecture of the system (or more architecture of the system (or more
strictly: to the architecture the strictly: to the architecture the
system manager is compiled for). Note system manager is compiled for). If
that setting this option to a running in user mode and this option
non-empty list implies that is used,
<constant>native</constant> is included <varname>NoNewPrivileges=yes</varname>
too. By default, this option is set to is implied. Note that setting this
the empty list, i.e. no architecture option to a non-empty list implies
system call filtering is that <constant>native</constant> is
included too. By default, this option
is set to the empty list, i.e. no
architecture system call filtering is
applied.</para></listitem> applied.</para></listitem>
</varlistentry> </varlistentry>
@ -1149,7 +1153,10 @@
sockets only) are unaffected. Note sockets only) are unaffected. Note
that this option has no effect on that this option has no effect on
32bit x86 and is ignored (but works 32bit x86 and is ignored (but works
correctly on x86-64). By default no correctly on x86-64). If running in user
mode and this option is used,
<varname>NoNewPrivileges=yes</varname>
is implied. By default no
restriction applies, all address restriction applies, all address
families are accessible to families are accessible to
processes. If assigned the empty processes. If assigned the empty

7
src/core/execute.c
View File

@ -1706,7 +1706,8 @@ int exec_spawn(ExecCommand *command,
} }
#ifdef HAVE_SECCOMP #ifdef HAVE_SECCOMP
if (context->address_families) { if (context->address_families_whitelist ||
!set_isempty(context->address_families)) {
err = apply_address_families(context); err = apply_address_families(context);
if (err < 0) { if (err < 0) {
r = EXIT_ADDRESS_FAMILIES; r = EXIT_ADDRESS_FAMILIES;
@ -1714,7 +1715,9 @@ int exec_spawn(ExecCommand *command,
} }
} }
if (context->syscall_filter || context->syscall_archs) { if (context->syscall_whitelist ||
!set_isempty(context->syscall_filter) ||
!set_isempty(context->syscall_archs)) {
err = apply_seccomp(context); err = apply_seccomp(context);
if (err < 0) { if (err < 0) {
r = EXIT_SECCOMP; r = EXIT_SECCOMP;

8
src/core/unit.c
View File

@ -2817,6 +2817,14 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
return r; return r;
} }
if (u->manager->running_as == SYSTEMD_USER &&
(c->syscall_whitelist ||
!set_isempty(c->syscall_filter) ||
!set_isempty(c->syscall_archs) ||
c->address_families_whitelist ||
!set_isempty(c->address_families)))
c->no_new_privileges = true;
return 0; return 0;
} }