pool/systemd
SHA256
2
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bc05a7952f
systemd/0005-nspawn-block-open_by_handle_at-and-others-via-seccom.patch
Stephan Kulow 0e288fc9c5 Accepting request 239780 from Base:System 
- Add upstream patch
  0001-machine-don-t-return-uninitialized-variable.patch
- Port and add upstream patch
  0002-vconsole-setup-run-setfont-before-loadkeys.patch

- Rename
  0001-udev-net_setup_link-add-a-bit-more-logging.patch
  to
  1048-udev-net_setup_link-add-a-bit-more-logging.patch 

- Port and add upstream patches
  0001-udev-net_setup_link-add-a-bit-more-logging.patch
  0003-namespace-make-sure-tmp-var-tmp-and-dev-are-writable.patch
  0002-namespace-fix-uninitialized-memory-access.patch

- Add upstream patches
  0001-architecture-Add-tilegx.patch
  0002-architecture-Add-cris.patch
  0003-arch-add-crisv32-to-uname-check.patch
  0004-architecture-remove-cris-from-uname-list.patch

- Add upstream patches
  0006-hwdb-update.patch
  0007-hwdb-Update-database-of-Bluetooth-company-identifier.patch

- Add upstream patches
  0001-parse_uid-return-ENXIO-for-1-uids.patch
  0002-util-when-unescaping-strings-don-t-allow-smuggling-i.patch
  0003-localed-consider-an-unset-model-as-a-wildcard.patch
  0004-sd-bus-when-an-event-loop-terminates-explicitly-clos.patch

OBS-URL: https://build.opensuse.org/request/show/239780
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=191
2014-07-12 15:14:24 +00:00

95 lines
3.4 KiB
Diff
Raw Blame History

From 28650077f36466d9c5ee27ef2006fae3171a2430 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 30 Jun 2014 16:22:12 +0200
Subject: [PATCH] nspawn: block open_by_handle_at() and others via seccomp
Let's protect ourselves against the recently reported docker security
issue. Our man page makes clear that we do not make any security
promises anyway, but well, this one is easy to mitigate, so let's do it.
While we are at it block a couple of more syscalls that are no good in
containers, too.
---
src/nspawn/nspawn.c | 47 +++++++++++++++++++++++++++++++++++------------
1 file changed, 35 insertions(+), 12 deletions(-)
diff --git src/nspawn/nspawn.c src/nspawn/nspawn.c
index fd61d07..656c1bf 100644
--- src/nspawn/nspawn.c
+++ src/nspawn/nspawn.c
@@ -1864,22 +1864,25 @@ static int setup_macvlan(pid_t pid) {
return 0;
}
-static int audit_still_doesnt_work_in_containers(void) {
+static int setup_seccomp(void) {
#ifdef HAVE_SECCOMP
+ static const int blacklist[] = {
+ SCMP_SYS(kexec_load),
+ SCMP_SYS(open_by_handle_at),
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ SCMP_SYS(iopl),
+ SCMP_SYS(ioperm),
+ SCMP_SYS(swapon),
+ SCMP_SYS(swapoff),
+ };
+
scmp_filter_ctx seccomp;
+ unsigned i;
int r;
- /*
- Audit is broken in containers, much of the userspace audit
- hookup will fail if running inside a container. We don't
- care and just turn off creation of audit sockets.
-
- This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
- with EAFNOSUPPORT which audit userspace uses as indication
- that audit is disabled in the kernel.
- */
-
seccomp = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp)
return log_oom();
@@ -1890,6 +1893,26 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
+ for (i = 0; i < ELEMENTSOF(blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error("Failed to block syscall: %s", strerror(-r));
+ goto finish;
+ }
+ }
+
+ /*
+ Audit is broken in containers, much of the userspace audit
+ hookup will fail if running inside a container. We don't
+ care and just turn off creation of audit sockets.
+
+ This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+ with EAFNOSUPPORT which audit userspace uses as indication
+ that audit is disabled in the kernel.
+ */
+
r = seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@ -3050,7 +3073,7 @@ int main(int argc, char *argv[]) {
dev_setup(arg_directory);
- if (audit_still_doesnt_work_in_containers() < 0)
+ if (setup_seccomp() < 0)
goto child_fail;
if (setup_dev_console(arg_directory, console) < 0)
--
1.7.9.2
Reference in New Issue View Git Blame Copy Permalink