From 760b9d7cbaa72cc7446ad915f84d4939c11a360c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 5 Mar 2014 04:41:01 +0100 Subject: [PATCH] core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set --- src/core/execute.h | 1 + src/core/load-fragment-gperf.gperf.m4 | 2 +- src/core/load-fragment.c | 37 ++++++++++++++++++++++++++- src/core/load-fragment.h | 1 + 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/core/execute.h b/src/core/execute.h index a3336573280..9fcea121fa8 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -185,6 +185,7 @@ struct ExecContext { bool nice_set:1; bool ioprio_set:1; bool cpu_sched_set:1; + bool no_new_privileges_set:1; }; #include "cgroup.h" diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 7bdee13faae..5604ee975d6 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -48,7 +48,7 @@ $1.Capabilities, config_parse_exec_capabilities, 0, $1.SecureBits, config_parse_exec_secure_bits, 0, offsetof($1, exec_context) $1.CapabilityBoundingSet, config_parse_bounding_set, 0, offsetof($1, exec_context.capability_bounding_set_drop) $1.TimerSlackNSec, config_parse_nsec, 0, offsetof($1, exec_context.timer_slack_nsec) -$1.NoNewPrivileges, config_parse_bool, 0, offsetof($1, exec_context.no_new_privileges) +$1.NoNewPrivileges, config_parse_no_new_priviliges, 0, offsetof($1, exec_context) m4_ifdef(`HAVE_SECCOMP', `$1.SystemCallFilter, config_parse_syscall_filter, 0, offsetof($1, exec_context) $1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 5628d8c910d..18dab02cd77 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2122,7 +2122,10 @@ int config_parse_syscall_filter( set_remove(c->syscall_filter, INT_TO_PTR(id + 1)); } - c->no_new_privileges = true; + /* Turn on NNP, but only if it wasn't configured explicitly + * before, and only if we are in user mode. */ + if (!c->no_new_privileges_set && u->manager->running_as == SYSTEMD_USER) + c->no_new_privileges = true; return 0; } @@ -2902,6 +2905,38 @@ int config_parse_namespace_path_strv( return 0; } +int config_parse_no_new_priviliges( + const char* unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + int k; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + k = parse_boolean(rvalue); + if (k < 0) { + log_syntax(unit, LOG_ERR, filename, line, -k, "Failed to parse boolean value, ignoring: %s", rvalue); + return 0; + } + + c->no_new_privileges = !!k; + c->no_new_privileges_set = true; + + return 0; +} + #define FOLLOW_MAX 8 static int open_follow(char **filename, FILE **_f, Set *names, char **_final) { diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index 73f6db72edf..fabbda212da 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -94,6 +94,7 @@ int config_parse_address_families(const char *unit, const char *filename, unsign int config_parse_runtime_directory(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_set_status(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_namespace_path_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_no_new_priviliges(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); /* gperf prototypes */ const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);