diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:28:52 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:28:52 +0100 |
| commit | f513e420c8b1a1d4c13092cd378f048b69793497 (patch) | |
| tree | 8bc6f9e42cec765ca4bc7f1b769177e9a3fb1016 | |
| parent | 9c423fbf2a11bf9c936017c0f1e06ea2e4e82a40 (diff) | |
exec: imply NoNewPriviliges= only when seccomp filters are used in user mode
| -rw-r--r-- | man/systemd.exec.xml | 59 | ||||
| -rw-r--r-- | src/core/execute.c | 7 | ||||
| -rw-r--r-- | src/core/unit.c | 8 |
3 files changed, 46 insertions, 28 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 413d81d330..9224f1ef3d 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1010,8 +1010,8 @@ <varlistentry> <term><varname>SystemCallFilter=</varname></term> - <listitem><para>Takes a space-separated - list of system call + <listitem><para>Takes a + space-separated list of system call names. If this setting is used, all system calls executed by the unit processes except for the listed ones @@ -1023,12 +1023,13 @@ the effect is inverted: only the listed system calls will result in immediate process termination - (blacklisting). If this option is used, + (blacklisting). If running in user + mode and this option is used, <varname>NoNewPrivileges=yes</varname> - is implied. This feature makes use of - the Secure Computing Mode 2 interfaces - of the kernel ('seccomp filtering') - and is useful for enforcing a minimal + is implied. This feature makes use of the + Secure Computing Mode 2 interfaces of + the kernel ('seccomp filtering') and + is useful for enforcing a minimal sandboxing environment. Note that the <function>execve</function>, <function>rt_sigreturn</function>, @@ -1096,28 +1097,31 @@ <constant>x86</constant>, <constant>x86-64</constant>, <constant>x32</constant>, - <constant>arm</constant> as well as the - special identifier - <constant>native</constant>. Only system - calls of the specified architectures - will be permitted to processes of this - unit. This is an effective way to - disable compatibility with non-native - architectures for processes, for - example to prohibit execution of - 32-bit x86 binaries on 64-bit x86-64 - systems. The special + <constant>arm</constant> as well as + the special identifier + <constant>native</constant>. Only + system calls of the specified + architectures will be permitted to + processes of this unit. This is an + effective way to disable compatibility + with non-native architectures for + processes, for example to prohibit + execution of 32-bit x86 binaries on + 64-bit x86-64 systems. The special <constant>native</constant> identifier implicitly maps to the native architecture of the system (or more strictly: to the architecture the - system manager is compiled for). Note - that setting this option to a - non-empty list implies that - <constant>native</constant> is included - too. By default, this option is set to - the empty list, i.e. no architecture - system call filtering is + system manager is compiled for). If + running in user mode and this option + is used, + <varname>NoNewPrivileges=yes</varname> + is implied. Note that setting this + option to a non-empty list implies + that <constant>native</constant> is + included too. By default, this option + is set to the empty list, i.e. no + architecture system call filtering is applied.</para></listitem> </varlistentry> @@ -1149,7 +1153,10 @@ sockets only) are unaffected. Note that this option has no effect on 32bit x86 and is ignored (but works - correctly on x86-64). By default no + correctly on x86-64). If running in user + mode and this option is used, + <varname>NoNewPrivileges=yes</varname> + is implied. By default no restriction applies, all address families are accessible to processes. If assigned the empty diff --git a/src/core/execute.c b/src/core/execute.c index fff25c2b23..9de6e8726f 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1706,7 +1706,8 @@ int exec_spawn(ExecCommand *command, } #ifdef HAVE_SECCOMP - if (context->address_families) { + if (context->address_families_whitelist || + !set_isempty(context->address_families)) { err = apply_address_families(context); if (err < 0) { r = EXIT_ADDRESS_FAMILIES; @@ -1714,7 +1715,9 @@ int exec_spawn(ExecCommand *command, } } - if (context->syscall_filter || context->syscall_archs) { + if (context->syscall_whitelist || + !set_isempty(context->syscall_filter) || + !set_isempty(context->syscall_archs)) { err = apply_seccomp(context); if (err < 0) { r = EXIT_SECCOMP; diff --git a/src/core/unit.c b/src/core/unit.c index 9d54147adb..05470739d2 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -2817,6 +2817,14 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) { return r; } + if (u->manager->running_as == SYSTEMD_USER && + (c->syscall_whitelist || + !set_isempty(c->syscall_filter) || + !set_isempty(c->syscall_archs) || + c->address_families_whitelist || + !set_isempty(c->address_families))) + c->no_new_privileges = true; + return 0; } |