Merge pull request #4658 from endocode/djalal/sandbox-various-fixes-v1

core: improve the logic that implies no new privileges and documentation fixes
author: Djalal Harouni <tixxdz@opendz.org> 2016-11-15 20:45:27 +0100
committer: GitHub <noreply@github.com> 2016-11-15 20:45:27 +0100
commit: afc402b76a4520997a7c831a943be75e3072b301 (patch)
tree: 0ebe0b88cb1c755e5cd49cb169b23f494b99a3a8 /src/core
parent: 22f1f8f24cc845dbb953535e93d69f06aa69712f (diff)
parent: 73186d534b1d4a8c217cf102ffd837d8e61a7e42 (diff)
6 files changed, 4 insertions, 13 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index d7bb0496a0..23c1b44573 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -781,7 +781,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("RestrictNamespace", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_VTABLE_END
 };
 
diff --git a/src/core/execute.c b/src/core/execute.c
index f666f7c6ce..04c4e511f4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2201,7 +2201,8 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
         if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
                 return false;
 
-        return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
+        /* We need NNP if we have any form of seccomp and are unprivileged */
+        return context_has_address_families(c) ||
                 c->memory_deny_write_execute ||
                 c->restrict_realtime ||
                 exec_context_restrict_namespaces_set(c) ||
diff --git a/src/core/execute.h b/src/core/execute.h
index 56f880cffe..e52640ee91 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -216,7 +216,6 @@ struct ExecContext {
         bool nice_set:1;
         bool ioprio_set:1;
         bool cpu_sched_set:1;
-        bool no_new_privileges_set:1;
 };
 
 static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index cb2f384f47..f4ef5a0140 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -57,7 +57,7 @@ m4_ifdef(`HAVE_SECCOMP',
 $1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context.syscall_archs)
 $1.SystemCallErrorNumber,        config_parse_syscall_errno,         0,                             offsetof($1, exec_context)
 $1.MemoryDenyWriteExecute,       config_parse_bool,                  0,                             offsetof($1, exec_context.memory_deny_write_execute)
-$1.RestrictNamespaces,           config_parse_restrict_namespaces,   0,                             offsetof($1, exec_context.restrict_namespaces)
+$1.RestrictNamespaces,           config_parse_restrict_namespaces,   0,                             offsetof($1, exec_context)
 $1.RestrictRealtime,             config_parse_bool,                  0,                             offsetof($1, exec_context.restrict_realtime)
 $1.RestrictAddressFamilies,      config_parse_address_families,      0,                             offsetof($1, exec_context)',
 `$1.SystemCallFilter,            config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 52079980d8..970eed27c1 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3896,7 +3896,6 @@ int config_parse_no_new_privileges(
         }
 
         c->no_new_privileges = k;
-        c->no_new_privileges_set = true;
 
         return 0;
 }
diff --git a/src/core/unit.c b/src/core/unit.c
index bba0f5d357..da9bb58a52 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3429,14 +3429,6 @@ int unit_patch_contexts(Unit *u) {
                         ec->working_directory_missing_ok = true;
                 }
 
-                if (MANAGER_IS_USER(u->manager) &&
-                    (ec->syscall_whitelist ||
-                     !set_isempty(ec->syscall_filter) ||
-                     !set_isempty(ec->syscall_archs) ||
-                     ec->address_families_whitelist ||
-                     !set_isempty(ec->address_families)))
-                        ec->no_new_privileges = true;
-
                 if (ec->private_devices)
                         ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO));
author	Djalal Harouni <tixxdz@opendz.org>	2016-11-15 20:45:27 +0100
committer	GitHub <noreply@github.com>	2016-11-15 20:45:27 +0100
commit	afc402b76a4520997a7c831a943be75e3072b301 (patch)
tree	0ebe0b88cb1c755e5cd49cb169b23f494b99a3a8 /src/core
parent	22f1f8f24cc845dbb953535e93d69f06aa69712f (diff)
parent	73186d534b1d4a8c217cf102ffd837d8e61a7e42 (diff)