1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

265 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
189cd8c2ab man: describe RuntimeDirectoryMode=
Fixes #5509.
2017-06-17 15:23:02 -04:00
Zbigniew Jędrzejewski-Szmek
03c3c52040 man: update MemoryDenyWriteExecute description for executable stacks
Without going into details, mention that libraries are also covered by the
filters, and that executable stacks are a no no.

Closes #5970.
2017-05-30 16:44:48 -04:00
Zbigniew Jędrzejewski-Szmek
98e9d71022 man: fix links to external man pages
linkchecker ftw!
2017-05-07 11:29:40 -04:00
James Cowgill
a3645cc6dd seccomp: add clone syscall definitions for mips (#5880)
Also updates the documentation and adds a mention of ppc64 support
which was enabled by #5325.

Tested on Debian mipsel and mips64el. The other 4 mips architectures
should have an identical user <-> kernel ABI to one of the 2 tested
systems.
2017-05-03 18:35:45 +02:00
Mark Stosberg
b8e485faf1 man: document how to include an equals sign in a value provided to Environment= (#5710)
It wasn't clear before how an equals sign in an "Environment=" value might be
handled. Ref:
http://stackoverflow.com/questions/43278883/how-to-write-systemd-environment-variables-value-which-contains/43280157
2017-04-11 23:19:06 +02:00
Torstein Husebø
6cf5a96489 man: fix typo (#5556) 2017-03-08 07:54:22 -05:00
Lennart Poettering
525872bfab man: document that ProtectKernelTunables= and ProtectControlGroups= implies MountAPIVFS=
See: #5384
2017-02-21 21:55:43 +01:00
AsciiWolf
28a0ad81ee man: use https:// in URLs 2017-02-21 16:28:04 +01:00
Lennart Poettering
0b8fab97cf man: improve documentation on seccomp regarding alternative ABIs
Let's clarify that RestrictAddressFamilies= and MemoryDenyWriteExecute=
are only fully effective if non-native system call architectures are
disabled, since they otherwise may be used to circumvent the filters, as
the filters aren't equally effective on all ABIs.

Fixes: #5277
2017-02-09 18:42:17 +01:00
Lennart Poettering
23deef88b9 Revert "core/execute: set HOME, USER also for root users"
This reverts commit 8b89628a10.

This broke #5246
2017-02-09 11:43:44 +01:00
Zbigniew Jędrzejewski-Szmek
fc6149a6ce Merge pull request #4962 from poettering/root-directory-2
Add new MountAPIVFS= boolean unit file setting + RootImage=
2017-02-08 23:05:05 -05:00
Zbigniew Jędrzejewski-Szmek
ef3116b5d4 man: add more commas for clarify and reword a few sentences 2017-02-08 22:53:16 -05:00
Lennart Poettering
ae9d60ce4e seccomp: on s390 the clone() parameters are reversed
Add a bit of code that tries to get the right parameter order in place
for some of the better known architectures, and skips
restrict_namespaces for other archs.

This also bypasses the test on archs where we don't know the right
order.

In this case I didn't bother with testing the case where no filter is
applied, since that is hopefully just an issue for now, as there's
nothing stopping us from supporting more archs, we just need to know
which order is right.

Fixes: #5241
2017-02-08 22:21:27 +01:00
Lennart Poettering
8a50cf6957 seccomp: MemoryDenyWriteExecute= should affect both mmap() and mmap2() (#5254)
On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.

Fixes: #5240
2017-02-08 15:14:02 +01:00
Lennart Poettering
915e6d1676 core: add RootImage= setting for using a specific image file as root directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.

This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
2017-02-07 12:19:42 +01:00
Lennart Poettering
5d997827e2 core: add a per-unit setting MountAPIVFS= for mounting /dev, /proc, /sys in conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.

(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
2017-02-07 11:22:05 +01:00
Lennart Poettering
142bd808a1 man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/...
We already say that it doesn't work on i386, but there are more archs
like that apparently.
2017-02-06 14:17:12 +01:00
Zbigniew Jędrzejewski-Szmek
8b89628a10 core/execute: set HOME, USER also for root users
This changes the environment for services running as root from:

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
INVOCATION_ID=ffbdec203c69499a9b83199333e31555
JOURNAL_STREAM=8:1614518

to

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
USER=root
SHELL=/bin/sh
INVOCATION_ID=15a077963d7b4ca0b82c91dc6519f87c
JOURNAL_STREAM=8:1616718

Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).

Fixes #5124.
2017-02-03 11:49:22 -05:00
Brandon Philips
9806301614 man: fix spelling error parth -> path 2017-02-02 00:54:42 +01:00
Jakub Wilk
301a21a880 man: fix typos (#5109) 2017-01-19 16:54:22 +01:00
Zbigniew Jędrzejewski-Szmek
5b3637b44a Merge pull request #4991 from poettering/seccomp-fix 2017-01-17 23:10:46 -05:00
Zbigniew Jędrzejewski-Szmek
374e692252 Merge pull request #5009 from ian-kelling/ian-mnt-namespace-doc 2017-01-11 15:23:00 -05:00
Ian Kelling
fa2a396620 doc: MountFlags= don't reference container which may not exist (#5011) 2017-01-03 21:32:31 +01:00
Ian Kelling
7141028d30 doc: correct "or" to "and" in MountFlags= description (#5010) 2017-01-03 21:31:20 +01:00
Ian Kelling
4b957756b8 man: document mount deletion between commands 2017-01-03 02:17:50 -08:00
Martin Pitt
56a9366d7d Merge pull request #4994 from poettering/private-tmp-tmpfiles
automatically clean up PrivateTmp= left-overs in /var/tmp on next boot
2016-12-29 11:18:38 +01:00
Lennart Poettering
9eb484fa40 man: add brief documentation for the (sd-pam) processes created due to PAMName= (#4967)
A follow-up for #4942, adding a brief but more correct explanation of
the processes.
2016-12-29 10:55:27 +01:00
Lennart Poettering
d71f050599 core: implicitly order units with PrivateTmp= after systemd-tmpfiles-setup.service
Preparation for fixing #4401.
2016-12-27 23:25:24 +01:00
Lennart Poettering
bd2ab3f4f6 seccomp: add two new filter sets: @reboot and @swap
These groupe reboot()/kexec() and swapon()/swapoff() respectively
2016-12-27 18:09:37 +01:00
Lennart Poettering
d2d6c096f6 core: add ability to define arbitrary bind mounts for services
This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow
defining arbitrary bind mounts specific to particular services. This is
particularly useful for services with RootDirectory= set as this permits making
specific bits of the host directory available to chrooted services.

The two new settings follow the concepts nspawn already possess in --bind= and
--bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these
latter options should probably be renamed to BindPaths= and BindReadOnlyPaths=
too).

Fixes: #3439
2016-12-14 00:54:10 +01:00
Jouke Witteveen
a4e26faf33 man: fix $SERVICE_RESULT/$EXIT_CODE/$EXIT_STATUS documentation
Note that any exit code is available through $EXIT_STATUS and not through
$EXIT_CODE. This mimics siginfo.
2016-12-06 13:37:14 +01:00
Jouke Witteveen
7ed0a4c537 bus-util: add protocol error type explanation 2016-11-29 23:19:52 +01:00
Jouke Witteveen
e0c7d5f7be man: document protocol error type for service failures (#4724) 2016-11-23 22:51:33 +01:00
Lennart Poettering
1a1b13c957 seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
2016-11-21 19:29:12 -05:00
Lennart Poettering
5327c910d2 namespace: simplify, optimize and extend handling of mounts for namespace
This changes a couple of things in the namespace handling:

It merges the BindMount and TargetMount structures. They are mostly the same,
hence let's just use the same structue, and rely on C's implicit zero
initialization of partially initialized structures for the unneeded fields.

This reworks memory management of each entry a bit. It now contains one "const"
and one "malloc" path. We use the former whenever we can, but use the latter
when we have to, which is the case when we have to chase symlinks or prefix a
root directory. This means in the common case we don't actually need to
allocate any dynamic memory. To make this easy to use we add an accessor
function bind_mount_path() which retrieves the right path string from a
BindMount structure.

While we are at it, also permit "+" as prefix for dirs configured with
ReadOnlyPaths= and friends: if specified the root directory of the unit is
implicited prefixed.

This also drops set_bind_mount() and uses C99 structure initialization instead,
which I think is more readable and clarifies what is being done.

This drops append_protect_kernel_tunables() and
append_protect_kernel_modules() as append_static_mounts() is now simple enough
to be called directly.

Prefixing with the root dir is now done in an explicit step in
prefix_where_needed(). It will prepend the root directory on each entry that
doesn't have it prefixed yet. The latter is determined depending on an extra
bit in the BindMount structure.
2016-11-17 18:08:32 +01:00
Djalal Harouni
8526555680 doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes= 2016-11-15 15:04:41 +01:00
Djalal Harouni
a7db8614f3 doc: note when no new privileges is implied 2016-11-15 15:04:35 +01:00
Lennart Poettering
add005357d core: add new RestrictNamespaces= unit file setting
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().

RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.

This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
2016-11-04 07:40:13 -06:00
Zbigniew Jędrzejewski-Szmek
cf88547034 Merge pull request #4548 from keszybz/seccomp-help
systemd-analyze syscall-filter
2016-11-03 20:27:45 -04:00
Kees Cook
d974f949f1 doc: clarify NoNewPrivileges (#4562)
Setting no_new_privs does not stop UID changes, but rather blocks
gaining privileges through execve(). Also fixes a small typo.
2016-11-03 20:26:59 -04:00
Zbigniew Jędrzejewski-Szmek
d5efc18b60 seccomp-util, analyze: export comments as a help string
Just to make the whole thing easier for users.
2016-11-03 09:35:36 -04:00
Zbigniew Jędrzejewski-Szmek
869feb3388 analyze: add syscall-filter verb
This should make it easier for users to understand what each filter
means as the list of syscalls is updated in subsequent systemd versions.
2016-11-03 09:35:35 -04:00
Lennart Poettering
2ca8dc15f9 man: document that too strict system call filters may affect the service manager
If execve() or socket() is filtered the service manager might get into trouble
executing the service binary, or handling any failures when this fails. Mention
this in the documentation.

The other option would be to implicitly whitelist all system calls that are
required for these codepaths. However, that appears less than desirable as this
would mean socket() and many related calls have to be whitelisted
unconditionally. As writing system call filters requires a certain level of
expertise anyway it sounds like the better option to simply document these
issues and suggest that the user disables system call filters in the service
temporarily in order to debug any such failures.

See: #3993.
2016-11-02 08:55:24 -06:00
Lennart Poettering
133ddbbeae seccomp: add two new syscall groups
@resources contains various syscalls that alter resource limits and memory and
scheduling parameters of processes. As such they are good candidates to block
for most services.

@basic-io contains a number of basic syscalls for I/O, similar to the list
seccomp v1 permitted but slightly more complete. It should be useful for
building basic whitelisting for minimal sandboxes
2016-11-02 08:50:00 -06:00
Lennart Poettering
aa6b9cec88 man: two minor fixes 2016-11-02 08:50:00 -06:00
Lennart Poettering
cd5bfd7e60 seccomp: include pipes and memfd in @ipc
These system calls clearly fall in the @ipc category, hence should be listed
there, simply to avoid confusion and surprise by the user.
2016-11-02 08:50:00 -06:00
Lennart Poettering
a8c157ff30 seccomp: drop execve() from @process list
The system call is already part in @default hence implicitly allowed anyway.
Also, if it is actually blocked then systemd couldn't execute the service in
question anymore, since the application of seccomp is immediately followed by
it.
2016-11-02 08:49:59 -06:00
Lennart Poettering
c79aff9a82 seccomp: add clock query and sleeping syscalls to "@default" group
Timing and sleep are so basic operations, it makes very little sense to ever
block them, hence don't.
2016-11-02 08:49:59 -06:00
Zbigniew Jędrzejewski-Szmek
aa34055ffb seccomp: allow specifying arm64, mips, ppc (#4491)
"Secondary arch" table for mips is entirely speculative…
2016-11-01 09:33:18 -06:00
Jakub Wilk
b17649ee5e man: fix typos (#4527) 2016-10-31 08:08:08 -04:00