core: add a system-wide SystemCallArchitectures= setting

This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.
2025-01-11 09:18:07 +03:00 · 2014-02-13 01:35:27 +01:00 · 2014-02-13 01:35:27 +01:00 · d3b1c50833
commit d3b1c50833
parent 624b5a636f
6 changed files with 234 additions and 114 deletions
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@ -93,42 +93,6 @@
                                arguments.</para></listitem>
                        </varlistentry>

-                        <varlistentry>
-                                <term><varname>DefaultTimeoutStartSec=</varname></term>
-                                <term><varname>DefaultTimeoutStopSec=</varname></term>
-                                <term><varname>DefaultRestartSec=</varname></term>
-
-                                <listitem><para>Configures the default
-                                time-outs for starting and stopping of
-                                units, as well as the default time to
-                                sleep between automatic restarts of
-                                units, as configured per-unit in
-                                <varname>TimeoutStartSec=</varname>,
-                                <varname>TimeoutStopSec=</varname> and
-                                <varname>RestartSec=</varname> (for
-                                service units, see
-                                <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                for details on the per-unit
-                                settings). For non-service units,
-                                <varname>DefaultTimeoutStartSec=</varname>
-                                sets the default
-                                <varname>TimeoutSec=</varname> value.
-                                </para></listitem>
-                        </varlistentry>
-                        <varlistentry>
-                                <term><varname>DefaultStartLimitInterval=</varname></term>
-                                <term><varname>DefaultStartLimitBurst=</varname></term>
-
-                                <listitem><para>Configure the default start rate
-                                limiting, as configured per-service by
-                                <varname>StartLimitInterval=</varname> and
-                                <varname>StartLimitBurst=</varname>. See
-                                <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                for details on the per-service
-                                settings).
-                                </para></listitem>
-                        </varlistentry>
-
                        <varlistentry>
                                <term><varname>CPUAffinity=</varname></term>

@ -247,6 +211,50 @@
                                are lost for good.</para></listitem>
                        </varlistentry>

+                        <varlistentry>
+                                <term><varname>SystemCallArchitectures=</varname></term>
+
+                                <listitem><para>Takes a
+                                space-separated list of architecture
+                                identifiers. Selects of which
+                                architectures system calls may be
+                                invoked on this system. This may be
+                                used as an effective way to disable
+                                invocation of non-native binaries
+                                system-wide, for example to prohibit
+                                execution of 32bit x86 binaries on
+                                64bit x86-64 systems. This option
+                                operates system wide, and acts
+                                similar to the
+                                <varname>SystemCallArchitectures=</varname>
+                                setting of unit files, see
+                                <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details. This setting defaults to
+                                the empty list in which case no
+                                filtering of system calls based on
+                                architecture is applied. Known
+                                architecture identifiers are
+                                <literal>x86</literal>,
+                                <literal>x86-64</literal>,
+                                <literal>x32</literal>,
+                                <literal>arm</literal> and the special
+                                identifier
+                                <literal>native</literal>. The latter
+                                implicitly maps to the native
+                                architecture of the system (or more
+                                specifically, the architecture the
+                                system manager was compiled for). Set
+                                this setting to
+                                <literal>native</literal> to prohibit
+                                execution of any non-native
+                                binaries. When a binary executes a
+                                system call of an architecture that is
+                                not listed in this setting it will be
+                                immediately terminated with the SIGSYS
+                                signal.</para></listitem>
+                        </varlistentry>
+
+
                        <varlistentry>
                                <term><varname>TimerSlackNSec=</varname></term>

@ -271,6 +279,42 @@
                                too.</para></listitem>
                        </varlistentry>

+                        <varlistentry>
+                                <term><varname>DefaultTimeoutStartSec=</varname></term>
+                                <term><varname>DefaultTimeoutStopSec=</varname></term>
+                                <term><varname>DefaultRestartSec=</varname></term>
+
+                                <listitem><para>Configures the default
+                                time-outs for starting and stopping of
+                                units, as well as the default time to
+                                sleep between automatic restarts of
+                                units, as configured per-unit in
+                                <varname>TimeoutStartSec=</varname>,
+                                <varname>TimeoutStopSec=</varname> and
+                                <varname>RestartSec=</varname> (for
+                                service units, see
+                                <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details on the per-unit
+                                settings). For non-service units,
+                                <varname>DefaultTimeoutStartSec=</varname>
+                                sets the default
+                                <varname>TimeoutSec=</varname> value.
+                                </para></listitem>
+                        </varlistentry>
+                        <varlistentry>
+                                <term><varname>DefaultStartLimitInterval=</varname></term>
+                                <term><varname>DefaultStartLimitBurst=</varname></term>
+
+                                <listitem><para>Configure the default start rate
+                                limiting, as configured per-service by
+                                <varname>StartLimitInterval=</varname> and
+                                <varname>StartLimitBurst=</varname>. See
+                                <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details on the per-service
+                                settings).
+                                </para></listitem>
+                        </varlistentry>
+
                        <varlistentry>
                                <term><varname>DefaultEnvironment=</varname></term>

@ -334,7 +378,10 @@
                  <para>
                          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                          <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                          <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                  </para>
        </refsect1>

--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@ -51,7 +51,7 @@ $1.TimerSlackNSec,               config_parse_nsec,                  0,
 $1.NoNewPrivileges,              config_parse_bool,                  0,                             offsetof($1, exec_context.no_new_privileges)
 m4_ifdef(`HAVE_SECCOMP',
 `$1.SystemCallFilter,            config_parse_syscall_filter,        0,                             offsetof($1, exec_context)
-$1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context)
+$1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context.syscall_archs)
 $1.SystemCallErrorNumber,        config_parse_syscall_errno,         0,                             offsetof($1, exec_context)',
 `$1.SystemCallFilter,            config_parse_warn_compat,           0,                             0
 $1.SystemCallArchitectures,      config_parse_warn_compat,           0,                             0
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -2045,18 +2045,18 @@ int config_parse_syscall_archs(
                void *data,
                void *userdata) {

-        ExecContext *c = data;
+        Set **archs = data;
        char *w, *state;
        size_t l;
        int r;

        if (isempty(rvalue)) {
-                set_free(c->syscall_archs);
-                c->syscall_archs = NULL;
+                set_free(*archs);
+                *archs = NULL;
                return 0;
        }

-        r = set_ensure_allocated(&c->syscall_archs, trivial_hash_func, trivial_compare_func);
+        r = set_ensure_allocated(archs, trivial_hash_func, trivial_compare_func);
        if (r < 0)
                return log_oom();

@ -2074,7 +2074,7 @@ int config_parse_syscall_archs(
                        continue;
                }

-                r = set_put(c->syscall_archs, UINT32_TO_PTR(a + 1));
+                r = set_put(*archs, UINT32_TO_PTR(a + 1));
                if (r == -EEXIST)
                        continue;
                if (r < 0)
--- a/src/core/main.c
+++ b/src/core/main.c
@ -82,10 +82,8 @@ static enum {
        ACTION_DUMP_CONFIGURATION_ITEMS,
        ACTION_DONE
 } arg_action = ACTION_RUN;
-
 static char *arg_default_unit = NULL;
 static SystemdRunningAs arg_running_as = _SYSTEMD_RUNNING_AS_INVALID;
-
 static bool arg_dump_core = true;
 static bool arg_crash_shell = false;
 static int arg_crash_chvt = -1;
@ -106,11 +104,10 @@ static char **arg_default_environment = NULL;
 static struct rlimit *arg_default_rlimit[RLIMIT_NLIMITS] = {};
 static uint64_t arg_capability_bounding_set_drop = 0;
 static nsec_t arg_timer_slack_nsec = (nsec_t) -1;
+static Set* arg_syscall_archs = NULL;
+static FILE* arg_serialization = NULL;

-static FILE* serialization = NULL;
-
-static void nop_handler(int sig) {
-}
+static void nop_handler(int sig) {}

 noreturn static void crash(int sig) {

@ -641,6 +638,12 @@ static int parse_config_file(void) {
                { "Manager", "ShowStatus",                config_parse_show_status,      0, &arg_show_status                       },
                { "Manager", "CrashChVT",                 config_parse_int,              0, &arg_crash_chvt                        },
                { "Manager", "CPUAffinity",               config_parse_cpu_affinity2,    0, NULL                                   },
+                { "Manager", "JoinControllers",           config_parse_join_controllers, 0, &arg_join_controllers                  },
+                { "Manager", "RuntimeWatchdogSec",        config_parse_sec,              0, &arg_runtime_watchdog                  },
+                { "Manager", "ShutdownWatchdogSec",       config_parse_sec,              0, &arg_shutdown_watchdog                 },
+                { "Manager", "CapabilityBoundingSet",     config_parse_bounding_set,     0, &arg_capability_bounding_set_drop      },
+                { "Manager", "SystemCallArchitectures",   config_parse_syscall_archs,    0, &arg_syscall_archs                     },
+                { "Manager", "TimerSlackNSec",            config_parse_nsec,             0, &arg_timer_slack_nsec                  },
                { "Manager", "DefaultStandardOutput",     config_parse_output,           0, &arg_default_std_output                },
                { "Manager", "DefaultStandardError",      config_parse_output,           0, &arg_default_std_error                 },
                { "Manager", "DefaultTimeoutStartSec",    config_parse_sec,              0, &arg_default_timeout_start_usec        },
@ -648,11 +651,6 @@ static int parse_config_file(void) {
                { "Manager", "DefaultRestartSec",         config_parse_sec,              0, &arg_default_restart_usec              },
                { "Manager", "DefaultStartLimitInterval", config_parse_sec,              0, &arg_default_start_limit_interval      },
                { "Manager", "DefaultStartLimitBurst",    config_parse_unsigned,         0, &arg_default_start_limit_burst         },
-                { "Manager", "JoinControllers",       config_parse_join_controllers, 0, &arg_join_controllers },
-                { "Manager", "RuntimeWatchdogSec",    config_parse_sec,          0, &arg_runtime_watchdog    },
-                { "Manager", "ShutdownWatchdogSec",   config_parse_sec,          0, &arg_shutdown_watchdog   },
-                { "Manager", "CapabilityBoundingSet", config_parse_bounding_set, 0, &arg_capability_bounding_set_drop },
-                { "Manager", "TimerSlackNSec",        config_parse_nsec,         0, &arg_timer_slack_nsec    },
                { "Manager", "DefaultEnvironment",        config_parse_environ,          0, &arg_default_environment               },
                { "Manager", "DefaultLimitCPU",           config_parse_limit,            0, &arg_default_rlimit[RLIMIT_CPU]        },
                { "Manager", "DefaultLimitFSIZE",         config_parse_limit,            0, &arg_default_rlimit[RLIMIT_FSIZE]      },
@ -670,7 +668,7 @@ static int parse_config_file(void) {
                { "Manager", "DefaultLimitNICE",          config_parse_limit,            0, &arg_default_rlimit[RLIMIT_NICE]       },
                { "Manager", "DefaultLimitRTPRIO",        config_parse_limit,            0, &arg_default_rlimit[RLIMIT_RTPRIO]     },
                { "Manager", "DefaultLimitRTTIME",        config_parse_limit,            0, &arg_default_rlimit[RLIMIT_RTTIME]     },
-                { NULL, NULL, NULL, 0, NULL }
+                {}
        };

        _cleanup_fclose_ FILE *f;
@ -925,10 +923,10 @@ static int parse_argv(int argc, char *argv[]) {
                                return -errno;
                        }

-                        if (serialization)
-                                fclose(serialization);
+                        if (arg_serialization)
+                                fclose(arg_serialization);

-                        serialization = f;
+                        arg_serialization = f;

                        break;
                }
@ -1194,6 +1192,39 @@ static int initialize_join_controllers(void) {
        return 0;
 }

+static int enforce_syscall_archs(Set *archs) {
+#ifdef HAVE_SECCOMP
+        scmp_filter_ctx *seccomp;
+        Iterator i;
+        void *id;
+        int r;
+
+        seccomp = seccomp_init(SCMP_ACT_ALLOW);
+        if (!seccomp)
+                return log_oom();
+
+        SET_FOREACH(id, arg_syscall_archs, i) {
+                r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+                if (r == -EEXIST)
+                        continue;
+                if (r < 0) {
+                        log_error("Failed to add architecture to seccomp: %s", strerror(-r));
+                        goto finish;
+                }
+        }
+
+        r = seccomp_load(seccomp);
+        if (r < 0)
+                log_error("Failed to add install architecture seccomp: %s", strerror(-r));
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+#else
+        return 0;
+#endif
+}
+
 int main(int argc, char *argv[]) {
        Manager *m = NULL;
        int r, retval = EXIT_FAILURE;
@ -1209,7 +1240,7 @@ int main(int argc, char *argv[]) {
        dual_timestamp security_finish_timestamp = { 0ULL, 0ULL };
        static char systemd[] = "systemd";
        bool skip_setup = false;
-        int j;
+        unsigned j;
        bool loaded_policy = false;
        bool arm_reboot_watchdog = false;
        bool queue_default_job = false;
@ -1437,8 +1468,8 @@ int main(int argc, char *argv[]) {
        } else
                fdset_cloexec(fds, true);

-        if (serialization)
-                assert_se(fdset_remove(fds, fileno(serialization)) >= 0);
+        if (arg_serialization)
+                assert_se(fdset_remove(fds, fileno(arg_serialization)) >= 0);

        if (arg_running_as == SYSTEMD_SYSTEM)
                /* Become a session leader if we aren't one yet. */
@ -1520,6 +1551,12 @@ int main(int argc, char *argv[]) {
                }
        }

+        if (arg_syscall_archs) {
+                r = enforce_syscall_archs(arg_syscall_archs);
+                if (r < 0)
+                        goto finish;
+        }
+
        if (arg_running_as == SYSTEMD_USER) {
                /* Become reaper of our children */
                if (prctl(PR_SET_CHILD_SUBREAPER, 1) < 0) {
@ -1564,11 +1601,11 @@ int main(int argc, char *argv[]) {
        manager_set_show_status(m, arg_show_status);

        /* Remember whether we should queue the default job */
-        queue_default_job = !serialization || arg_switched_root;
+        queue_default_job = !arg_serialization || arg_switched_root;

        before_startup = now(CLOCK_MONOTONIC);

-        r = manager_startup(m, serialization, fds);
+        r = manager_startup(m, arg_serialization, fds);
        if (r < 0)
                log_error("Failed to fully start up daemon: %s", strerror(-r));

@ -1577,9 +1614,9 @@ int main(int argc, char *argv[]) {
        fdset_free(fds);
        fds = NULL;

-        if (serialization) {
-                fclose(serialization);
-                serialization = NULL;
+        if (arg_serialization) {
+                fclose(arg_serialization);
+                arg_serialization = NULL;
        }

        if (queue_default_job) {
@ -1672,7 +1709,7 @@ int main(int argc, char *argv[]) {

                case MANAGER_REEXECUTE:

-                        if (prepare_reexecute(m, &serialization, &fds, false) < 0)
+                        if (prepare_reexecute(m, &arg_serialization, &fds, false) < 0)
                                goto finish;

                        reexecute = true;
@ -1686,7 +1723,7 @@ int main(int argc, char *argv[]) {
                        m->switch_root = m->switch_root_init = NULL;

                        if (!switch_root_init)
-                                if (prepare_reexecute(m, &serialization, &fds, true) < 0)
+                                if (prepare_reexecute(m, &arg_serialization, &fds, true) < 0)
                                        goto finish;

                        reexecute = true;
@ -1717,15 +1754,27 @@ int main(int argc, char *argv[]) {
        }

 finish:
-        if (m)
+        if (m) {
                manager_free(m);
+                m = NULL;
+        }

-        for (j = 0; j < RLIMIT_NLIMITS; j++)
+        for (j = 0; j < ELEMENTSOF(arg_default_rlimit); j++) {
                free(arg_default_rlimit[j]);
+                arg_default_rlimit[j] = NULL;
+        }

        free(arg_default_unit);
+        arg_default_unit = NULL;
+
        free_join_controllers();

+        strv_free(arg_default_environment);
+        arg_default_environment = NULL;
+
+        set_free(arg_syscall_archs);
+        arg_syscall_archs = NULL;
+
        label_finish();

        if (reexecute) {
@ -1767,10 +1816,10 @@ finish:
                         * this only if the user didn't specify an
                         * explicit init to spawn. */

-                        assert(serialization);
+                        assert(arg_serialization);
                        assert(fds);

-                        snprintf(sfd, sizeof(sfd), "%i", fileno(serialization));
+                        snprintf(sfd, sizeof(sfd), "%i", fileno(arg_serialization));
                        char_array_0(sfd);

                        i = 0;
@ -1796,9 +1845,9 @@ finish:
                 * getopt() in argv[], and some cleanups in envp[],
                 * but let's hope that doesn't matter.) */

-                if (serialization) {
-                        fclose(serialization);
-                        serialization = NULL;
+                if (arg_serialization) {
+                        fclose(arg_serialization);
+                        arg_serialization = NULL;
                }

                if (fds) {
@ -1809,7 +1858,7 @@ finish:
                /* Reopen the console */
                make_console_stdio();

-                for (j = 1, i = 1; j < argc; j++)
+                for (j = 1, i = 1; j < (unsigned) argc; j++)
                        args[i++] = argv[j];
                args[i++] = NULL;
                assert(i <= args_size);
@ -1834,11 +1883,15 @@ finish:
                        log_warning("Failed to execute /sbin/init, giving up: %m");
        }

-        if (serialization)
-                fclose(serialization);
+        if (arg_serialization) {
+                fclose(arg_serialization);
+                arg_serialization = NULL;
+        }

-        if (fds)
+        if (fds) {
                fdset_free(fds);
+                fds = NULL;
+        }

 #ifdef HAVE_VALGRIND_VALGRIND_H
        /* If we are PID 1 and running under valgrind, then let's exit
--- a/src/core/system.conf
+++ b/src/core/system.conf
@ -17,13 +17,14 @@
 #ShowStatus=yes
 #CrashChVT=1
 #CPUAffinity=1 2
-#DefaultStandardOutput=journal
-#DefaultStandardError=inherit
 #JoinControllers=cpu,cpuacct net_cls,net_prio
 #RuntimeWatchdogSec=0
 #ShutdownWatchdogSec=10min
 #CapabilityBoundingSet=
+#SystemCallArchitectures=
 #TimerSlackNSec=
+#DefaultStandardOutput=journal
+#DefaultStandardError=inherit
 #DefaultTimeoutStartSec=90s
 #DefaultTimeoutStopSec=90s
 #DefaultRestartSec=100ms
--- a/src/core/user.conf
+++ b/src/core/user.conf
@ -12,6 +12,8 @@
 #LogTarget=console
 #LogColor=yes
 #LogLocation=no
+#SystemCallArchitectures=
+#TimerSlackNSec=
 #DefaultStandardOutput=inherit
 #DefaultStandardError=inherit
 #DefaultTimeoutStartSec=90s
@ -19,3 +21,20 @@
 #DefaultRestartSec=100ms
 #DefaultStartLimitInterval=10s
 #DefaultStartLimitBurst=5
+#DefaultEnvironment=
+#DefaultLimitCPU=
+#DefaultLimitFSIZE=
+#DefaultLimitDATA=
+#DefaultLimitSTACK=
+#DefaultLimitCORE=
+#DefaultLimitRSS=
+#DefaultLimitNOFILE=
+#DefaultLimitAS=
+#DefaultLimitNPROC=
+#DefaultLimitMEMLOCK=
+#DefaultLimitLOCKS=
+#DefaultLimitSIGPENDING=
+#DefaultLimitMSGQUEUE=
+#DefaultLimitNICE=
+#DefaultLimitRTPRIO=
+#DefaultLimitRTTIME=