search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
1:255.16-alt1
[systemd_ALT.git] / src / nspawn / nspawn-seccomp.c
blob7dac7f330e0f6cb202997931992e435e49f43a81
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <linux/netlink.h>
5 #include <sys/capability.h>
6 #include <sys/socket.h>
7 #include <sys/types.h>
8
9 #include "alloc-util.h"
10 #include "log.h"
11 #include "nspawn-seccomp.h"
12 #include "seccomp-util.h"
13 #include "string-util.h"
14 #include "strv.h"
15
16 #if HAVE_SECCOMP
17
18 static int add_syscall_filters(
19 scmp_filter_ctx ctx,
20 uint32_t arch,
21 uint64_t cap_list_retain,
22 char **syscall_allow_list,
23 char **syscall_deny_list) {
24
25 static const struct {
26 uint64_t capability;
27 const char* name;
28 } allow_list[] = {
29 /* Let's use set names where we can */
30 { 0, "@aio" },
31 { 0, "@basic-io" },
32 { 0, "@chown" },
33 { 0, "@default" },
34 { 0, "@file-system" },
35 { 0, "@io-event" },
36 { 0, "@ipc" },
37 { 0, "@mount" },
38 { 0, "@network-io" },
39 { 0, "@process" },
40 { 0, "@resources" },
41 { 0, "@setuid" },
42 { 0, "@signal" },
43 { 0, "@sync" },
44 { 0, "@timer" },
45
46 /* The following four are sets we optionally enable, n case the caps have been configured for it */
47 { CAP_SYS_TIME, "@clock" },
48 { CAP_SYS_MODULE, "@module" },
49 { CAP_SYS_RAWIO, "@raw-io" },
50 { CAP_IPC_LOCK, "@memlock" },
51
52 /* Plus a good set of additional syscalls which are not part of any of the groups above */
53 { 0, "arm_fadvise64_64" },
54 { 0, "brk" },
55 { 0, "capget" },
56 { 0, "capset" },
57 { 0, "copy_file_range" },
58 { 0, "fadvise64" },
59 { 0, "fadvise64_64" },
60 { 0, "flock" },
61 { 0, "get_mempolicy" },
62 { 0, "getcpu" },
63 { 0, "getpriority" },
64 { 0, "getrandom" },
65 { 0, "ioctl" },
66 { 0, "ioprio_get" },
67 { 0, "kcmp" },
68 { 0, "madvise" },
69 { 0, "mincore" },
70 { 0, "mprotect" },
71 { 0, "mremap" },
72 { 0, "name_to_handle_at" },
73 { 0, "oldolduname" },
74 { 0, "olduname" },
75 { 0, "personality" },
76 { 0, "readahead" },
77 { 0, "readdir" },
78 { 0, "remap_file_pages" },
79 { 0, "sched_get_priority_max" },
80 { 0, "sched_get_priority_min" },
81 { 0, "sched_getaffinity" },
82 { 0, "sched_getattr" },
83 { 0, "sched_getparam" },
84 { 0, "sched_getscheduler" },
85 { 0, "sched_rr_get_interval" },
86 { 0, "sched_rr_get_interval_time64" },
87 { 0, "sched_yield" },
88 { 0, "sendfile" },
89 { 0, "sendfile64" },
90 { 0, "setdomainname" },
91 { 0, "setfsgid" },
92 { 0, "setfsgid32" },
93 { 0, "setfsuid" },
94 { 0, "setfsuid32" },
95 { 0, "sethostname" },
96 { 0, "setpgid" },
97 { 0, "setsid" },
98 { 0, "splice" },
99 { 0, "sysinfo" },
100 { 0, "tee" },
101 { 0, "umask" },
102 { 0, "uname" },
103 { 0, "userfaultfd" },
104 { 0, "vmsplice" },
105
106 /* The following individual syscalls are added depending on specified caps */
107 { CAP_SYS_PACCT, "acct" },
108 { CAP_SYS_PTRACE, "process_vm_readv" },
109 { CAP_SYS_PTRACE, "process_vm_writev" },
110 { CAP_SYS_PTRACE, "ptrace" },
111 { CAP_SYS_BOOT, "reboot" },
112 { CAP_SYSLOG, "syslog" },
113 { CAP_SYS_TTY_CONFIG, "vhangup" },
114
115 /*
116 * The following syscalls and groups are knowingly excluded:
117 *
118 * @cpu-emulation
119 * @keyring (NB: keyring is not namespaced!)
120 * @obsolete
121 * @pkey
122 * @swap
123 *
124 * bpf
125 * fanotify_init
126 * fanotify_mark
127 * kexec_file_load
128 * kexec_load
129 * lookup_dcookie
130 * nfsservctl
131 * open_by_handle_at
132 * perf_event_open
133 * quotactl
134 */
135 };
136
137 _cleanup_strv_free_ char **added = NULL;
138 int r;
139
140 for (size_t i = 0; i < ELEMENTSOF(allow_list); i++) {
141 if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0)
142 continue;
143
144 r = seccomp_add_syscall_filter_item(ctx,
145 allow_list[i].name,
146 SCMP_ACT_ALLOW,
147 syscall_deny_list,
148 false,
149 &added);
150 if (r < 0)
151 return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
152 }
153
154 STRV_FOREACH(p, syscall_allow_list) {
155 r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);
156 if (r < 0)
157 log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
158 *p, seccomp_arch_to_string(arch));
159 }
160
161 /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
162 * syscalls. */
163 r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
164 if (r < 0)
165 log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
166 seccomp_arch_to_string(arch));
167
168 #if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
169 /* We have a large filter here, so let's turn on the binary tree mode if possible. */
170 r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
171 if (r < 0)
172 log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
173 #endif
174
175 return 0;
176 }
177
178 int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list) {
179 uint32_t arch;
180 int r;
181
182 if (!is_seccomp_available()) {
183 log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
184 return 0;
185 }
186
187 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
188 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
189
190 log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));
191
192 /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
193 * in the @known set, see above. */
194 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
195 if (r < 0)
196 return log_error_errno(r, "Failed to allocate seccomp object: %m");
197
198 r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
199 if (r < 0)
200 return r;
201
202 r = seccomp_load(seccomp);
203 if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
204 return log_error_errno(r, "Failed to install seccomp filter: %m");
205 if (r < 0)
206 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",
207 seccomp_arch_to_string(arch));
208 }
209
210 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
211 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
212
213 log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));
214
215 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
216 if (r < 0)
217 return log_error_errno(r, "Failed to allocate seccomp object: %m");
218
219 /*
220 Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
221 container. We don't care and just turn off creation of audit sockets.
222
223 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
224 as indication that audit is disabled in the kernel.
225 */
226
227 r = seccomp_rule_add_exact(
228 seccomp,
229 SCMP_ACT_ERRNO(EAFNOSUPPORT),
230 SCMP_SYS(socket),
231 2,
232 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
233 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
234 if (r < 0) {
235 log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
236 continue;
237 }
238
239 r = seccomp_load(seccomp);
240 if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
241 return log_error_errno(r, "Failed to install seccomp audit filter: %m");
242 if (r < 0)
243 log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",
244 seccomp_arch_to_string(arch));
245 }
246
247 return 0;
248 }
249
250 #else
251
252 int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list) {
253 return 0;
254 }
255
256 #endif
A System and Session Manager (ALT Linux package)