summaryrefslogtreecommitdiff
path: root/src/core/execute.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2012-07-17 04:17:53 +0200
committerLennart Poettering <lennart@poettering.net>2012-07-17 04:17:53 +0200
commit8351ceaea9480d9c2979aa2ff0f4982cfdfef58d (patch)
treefc1f94e5a17679960774da386a54d145255e4ef1 /src/core/execute.c
parentcd96b3b86abb4a88cac2722bdfb6e5d4413f6831 (diff)
execute: support syscall filtering using seccomp filters
Diffstat (limited to 'src/core/execute.c')
-rw-r--r--src/core/execute.c70
1 files changed, 70 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index daba1a3846..7a72aa486c 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -38,6 +38,7 @@
#include <linux/fs.h>
#include <linux/oom.h>
#include <sys/poll.h>
+#include <linux/seccomp-bpf.h>
#ifdef HAVE_PAM
#include <security/pam_appl.h>
@@ -60,6 +61,7 @@
#include "def.h"
#include "loopback-setup.h"
#include "path-util.h"
+#include "syscall-list.h"
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
@@ -924,6 +926,59 @@ static void rename_process_from_path(const char *path) {
rename_process(process_name);
}
+static int apply_seccomp(uint32_t *syscall_filter) {
+ static const struct sock_filter header[] = {
+ VALIDATE_ARCHITECTURE,
+ EXAMINE_SYSCALL
+ };
+ static const struct sock_filter footer[] = {
+ _KILL_PROCESS
+ };
+
+ int i;
+ unsigned n;
+ struct sock_filter *f;
+ struct sock_fprog prog;
+
+ assert(syscall_filter);
+
+ /* First: count the syscalls to check for */
+ for (i = 0, n = 0; i < syscall_max(); i++)
+ if (syscall_filter[i >> 4] & (1 << (i & 31)))
+ n++;
+
+ /* Second: build the filter program from a header the syscall
+ * matches and the footer */
+ f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
+ memcpy(f, header, sizeof(header));
+
+ for (i = 0, n = 0; i < syscall_max(); i++)
+ if (syscall_filter[i >> 4] & (1 << (i & 31))) {
+ struct sock_filter item[] = {
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, i, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+ };
+
+ assert_cc(ELEMENTSOF(item) == 2);
+
+ f[ELEMENTSOF(header) + 2*n] = item[0];
+ f[ELEMENTSOF(header) + 2*n+1] = item[1];
+
+ n++;
+ }
+
+ memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
+
+ /* Third: install the filter */
+ zero(prog);
+ prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
+ prog.filter = f;
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
+ return -errno;
+
+ return 0;
+}
+
int exec_spawn(ExecCommand *command,
char **argv,
const ExecContext *context,
@@ -1355,6 +1410,21 @@ int exec_spawn(ExecCommand *command,
r = EXIT_CAPABILITIES;
goto fail_child;
}
+
+ if (context->no_new_privileges)
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ err = -errno;
+ r = EXIT_NO_NEW_PRIVILEGES;
+ goto fail_child;
+ }
+
+ if (context->syscall_filter) {
+ err = apply_seccomp(context->syscall_filter);
+ if (err < 0) {
+ r = EXIT_SECCOMP;
+ goto fail_child;
+ }
+ }
}
if (!(our_env = new0(char*, 7))) {