diff options
| author | Jay Faulkner <jay@jvf.cc> | 2015-02-03 17:45:50 -0800 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-02-04 13:34:46 +0100 | 
| commit | d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd (patch) | |
| tree | bcf30e2e588e220bafd1adc480e36485fbb5bad6 | |
| parent | 057255fbbf2ecb1c46e025b04087fa9340d9880d (diff) | |
nspawn: Allow module loading if CAP_SYS_MODULE is requested
nspawn containers currently block module loading in all cases, with
no option to disable it. This allows an admin, specifically setting
capability=CAP_SYS_MODULE or capability=all to load modules.
| -rw-r--r-- | src/nspawn/nspawn.c | 23 | 
1 files changed, 20 insertions, 3 deletions
| diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1e6e7bf302..fb672510b4 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2485,15 +2485,18 @@ static int setup_seccomp(void) {          static const int blacklist[] = {                  SCMP_SYS(kexec_load),                  SCMP_SYS(open_by_handle_at), -                SCMP_SYS(init_module), -                SCMP_SYS(finit_module), -                SCMP_SYS(delete_module),                  SCMP_SYS(iopl),                  SCMP_SYS(ioperm),                  SCMP_SYS(swapon),                  SCMP_SYS(swapoff),          }; +        static const int kmod_blacklist[] = { +                SCMP_SYS(init_module), +                SCMP_SYS(finit_module), +                SCMP_SYS(delete_module), +        }; +          scmp_filter_ctx seccomp;          unsigned i;          int r; @@ -2518,6 +2521,20 @@ static int setup_seccomp(void) {                  }          } +        /* If the CAP_SYS_MODULE capability is not requested then +         * we'll block the kmod syscalls too */ +        if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) { +                for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) { +                        r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0); +                        if (r == -EFAULT) +                                continue; /* unknown syscall */ +                        if (r < 0) { +                                log_error_errno(r, "Failed to block syscall: %m"); +                                goto finish; +                        } +                } +        } +          /*             Audit is broken in containers, much of the userspace audit             hookup will fail if running inside a container. We don't | 
