forked from pool/systemd
0e288fc9c5
- Add upstream patch 0001-machine-don-t-return-uninitialized-variable.patch - Port and add upstream patch 0002-vconsole-setup-run-setfont-before-loadkeys.patch - Rename 0001-udev-net_setup_link-add-a-bit-more-logging.patch to 1048-udev-net_setup_link-add-a-bit-more-logging.patch - Port and add upstream patches 0001-udev-net_setup_link-add-a-bit-more-logging.patch 0003-namespace-make-sure-tmp-var-tmp-and-dev-are-writable.patch 0002-namespace-fix-uninitialized-memory-access.patch - Add upstream patches 0001-architecture-Add-tilegx.patch 0002-architecture-Add-cris.patch 0003-arch-add-crisv32-to-uname-check.patch 0004-architecture-remove-cris-from-uname-list.patch - Add upstream patches 0006-hwdb-update.patch 0007-hwdb-Update-database-of-Bluetooth-company-identifier.patch - Add upstream patches 0001-parse_uid-return-ENXIO-for-1-uids.patch 0002-util-when-unescaping-strings-don-t-allow-smuggling-i.patch 0003-localed-consider-an-unset-model-as-a-wildcard.patch 0004-sd-bus-when-an-event-loop-terminates-explicitly-clos.patch OBS-URL: https://build.opensuse.org/request/show/239780 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=191
95 lines
3.4 KiB
Diff
95 lines
3.4 KiB
Diff
From 28650077f36466d9c5ee27ef2006fae3171a2430 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Mon, 30 Jun 2014 16:22:12 +0200
|
|
Subject: [PATCH] nspawn: block open_by_handle_at() and others via seccomp
|
|
|
|
Let's protect ourselves against the recently reported docker security
|
|
issue. Our man page makes clear that we do not make any security
|
|
promises anyway, but well, this one is easy to mitigate, so let's do it.
|
|
While we are at it block a couple of more syscalls that are no good in
|
|
containers, too.
|
|
---
|
|
src/nspawn/nspawn.c | 47 +++++++++++++++++++++++++++++++++++------------
|
|
1 file changed, 35 insertions(+), 12 deletions(-)
|
|
|
|
diff --git src/nspawn/nspawn.c src/nspawn/nspawn.c
|
|
index fd61d07..656c1bf 100644
|
|
--- src/nspawn/nspawn.c
|
|
+++ src/nspawn/nspawn.c
|
|
@@ -1864,22 +1864,25 @@ static int setup_macvlan(pid_t pid) {
|
|
return 0;
|
|
}
|
|
|
|
-static int audit_still_doesnt_work_in_containers(void) {
|
|
+static int setup_seccomp(void) {
|
|
|
|
#ifdef HAVE_SECCOMP
|
|
+ static const int blacklist[] = {
|
|
+ SCMP_SYS(kexec_load),
|
|
+ SCMP_SYS(open_by_handle_at),
|
|
+ SCMP_SYS(init_module),
|
|
+ SCMP_SYS(finit_module),
|
|
+ SCMP_SYS(delete_module),
|
|
+ SCMP_SYS(iopl),
|
|
+ SCMP_SYS(ioperm),
|
|
+ SCMP_SYS(swapon),
|
|
+ SCMP_SYS(swapoff),
|
|
+ };
|
|
+
|
|
scmp_filter_ctx seccomp;
|
|
+ unsigned i;
|
|
int r;
|
|
|
|
- /*
|
|
- Audit is broken in containers, much of the userspace audit
|
|
- hookup will fail if running inside a container. We don't
|
|
- care and just turn off creation of audit sockets.
|
|
-
|
|
- This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
|
|
- with EAFNOSUPPORT which audit userspace uses as indication
|
|
- that audit is disabled in the kernel.
|
|
- */
|
|
-
|
|
seccomp = seccomp_init(SCMP_ACT_ALLOW);
|
|
if (!seccomp)
|
|
return log_oom();
|
|
@@ -1890,6 +1893,26 @@ static int audit_still_doesnt_work_in_containers(void) {
|
|
goto finish;
|
|
}
|
|
|
|
+ for (i = 0; i < ELEMENTSOF(blacklist); i++) {
|
|
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
|
|
+ if (r == -EFAULT)
|
|
+ continue; /* unknown syscall */
|
|
+ if (r < 0) {
|
|
+ log_error("Failed to block syscall: %s", strerror(-r));
|
|
+ goto finish;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ Audit is broken in containers, much of the userspace audit
|
|
+ hookup will fail if running inside a container. We don't
|
|
+ care and just turn off creation of audit sockets.
|
|
+
|
|
+ This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
|
|
+ with EAFNOSUPPORT which audit userspace uses as indication
|
|
+ that audit is disabled in the kernel.
|
|
+ */
|
|
+
|
|
r = seccomp_rule_add(
|
|
seccomp,
|
|
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
|
@@ -3050,7 +3073,7 @@ int main(int argc, char *argv[]) {
|
|
|
|
dev_setup(arg_directory);
|
|
|
|
- if (audit_still_doesnt_work_in_containers() < 0)
|
|
+ if (setup_seccomp() < 0)
|
|
goto child_fail;
|
|
|
|
if (setup_dev_console(arg_directory, console) < 0)
|
|
--
|
|
1.7.9.2
|
|
|