summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-26 02:28:52 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-26 02:28:52 +0100
commitf513e420c8b1a1d4c13092cd378f048b69793497 (patch)
tree8bc6f9e42cec765ca4bc7f1b769177e9a3fb1016
parent9c423fbf2a11bf9c936017c0f1e06ea2e4e82a40 (diff)
exec: imply NoNewPriviliges= only when seccomp filters are used in user mode
-rw-r--r--man/systemd.exec.xml59
-rw-r--r--src/core/execute.c7
-rw-r--r--src/core/unit.c8
3 files changed, 46 insertions, 28 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 413d81d330..9224f1ef3d 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1010,8 +1010,8 @@
<varlistentry>
<term><varname>SystemCallFilter=</varname></term>
- <listitem><para>Takes a space-separated
- list of system call
+ <listitem><para>Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
processes except for the listed ones
@@ -1023,12 +1023,13 @@
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used,
+ (blacklisting). If running in user
+ mode and this option is used,
<varname>NoNewPrivileges=yes</varname>
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
<function>execve</function>,
<function>rt_sigreturn</function>,
@@ -1096,28 +1097,31 @@
<constant>x86</constant>,
<constant>x86-64</constant>,
<constant>x32</constant>,
- <constant>arm</constant> as well as the
- special identifier
- <constant>native</constant>. Only system
- calls of the specified architectures
- will be permitted to processes of this
- unit. This is an effective way to
- disable compatibility with non-native
- architectures for processes, for
- example to prohibit execution of
- 32-bit x86 binaries on 64-bit x86-64
- systems. The special
+ <constant>arm</constant> as well as
+ the special identifier
+ <constant>native</constant>. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
<constant>native</constant> identifier
implicitly maps to the native
architecture of the system (or more
strictly: to the architecture the
- system manager is compiled for). Note
- that setting this option to a
- non-empty list implies that
- <constant>native</constant> is included
- too. By default, this option is set to
- the empty list, i.e. no architecture
- system call filtering is
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that <constant>native</constant> is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
applied.</para></listitem>
</varlistentry>
@@ -1149,7 +1153,10 @@
sockets only) are unaffected. Note
that this option has no effect on
32bit x86 and is ignored (but works
- correctly on x86-64). By default no
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. By default no
restriction applies, all address
families are accessible to
processes. If assigned the empty
diff --git a/src/core/execute.c b/src/core/execute.c
index fff25c2b23..9de6e8726f 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1706,7 +1706,8 @@ int exec_spawn(ExecCommand *command,
}
#ifdef HAVE_SECCOMP
- if (context->address_families) {
+ if (context->address_families_whitelist ||
+ !set_isempty(context->address_families)) {
err = apply_address_families(context);
if (err < 0) {
r = EXIT_ADDRESS_FAMILIES;
@@ -1714,7 +1715,9 @@ int exec_spawn(ExecCommand *command,
}
}
- if (context->syscall_filter || context->syscall_archs) {
+ if (context->syscall_whitelist ||
+ !set_isempty(context->syscall_filter) ||
+ !set_isempty(context->syscall_archs)) {
err = apply_seccomp(context);
if (err < 0) {
r = EXIT_SECCOMP;
diff --git a/src/core/unit.c b/src/core/unit.c
index 9d54147adb..05470739d2 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2817,6 +2817,14 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
return r;
}
+ if (u->manager->running_as == SYSTEMD_USER &&
+ (c->syscall_whitelist ||
+ !set_isempty(c->syscall_filter) ||
+ !set_isempty(c->syscall_archs) ||
+ c->address_families_whitelist ||
+ !set_isempty(c->address_families)))
+ c->no_new_privileges = true;
+
return 0;
}