diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2016-11-15 20:45:27 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-15 20:45:27 +0100 | 
| commit | afc402b76a4520997a7c831a943be75e3072b301 (patch) | |
| tree | 0ebe0b88cb1c755e5cd49cb169b23f494b99a3a8 /src | |
| parent | 22f1f8f24cc845dbb953535e93d69f06aa69712f (diff) | |
| parent | 73186d534b1d4a8c217cf102ffd837d8e61a7e42 (diff) | |
Merge pull request #4658 from endocode/djalal/sandbox-various-fixes-v1
core: improve the logic that implies no new privileges and documentation fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/dbus-execute.c | 2 | ||||
| -rw-r--r-- | src/core/execute.c | 3 | ||||
| -rw-r--r-- | src/core/execute.h | 1 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 2 | ||||
| -rw-r--r-- | src/core/load-fragment.c | 1 | ||||
| -rw-r--r-- | src/core/unit.c | 8 | ||||
| -rw-r--r-- | src/shared/bus-util.c | 18 | ||||
| -rw-r--r-- | src/test/test-execute.c | 13 | 
8 files changed, 35 insertions, 13 deletions
| diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index d7bb0496a0..23c1b44573 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -781,7 +781,7 @@ const sd_bus_vtable bus_exec_vtable[] = {          SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST), -        SD_BUS_PROPERTY("RestrictNamespace", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_VTABLE_END  }; diff --git a/src/core/execute.c b/src/core/execute.c index f666f7c6ce..04c4e511f4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2201,7 +2201,8 @@ static bool context_has_no_new_privileges(const ExecContext *c) {          if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */                  return false; -        return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */ +        /* We need NNP if we have any form of seccomp and are unprivileged */ +        return context_has_address_families(c) ||                  c->memory_deny_write_execute ||                  c->restrict_realtime ||                  exec_context_restrict_namespaces_set(c) || diff --git a/src/core/execute.h b/src/core/execute.h index 56f880cffe..e52640ee91 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -216,7 +216,6 @@ struct ExecContext {          bool nice_set:1;          bool ioprio_set:1;          bool cpu_sched_set:1; -        bool no_new_privileges_set:1;  };  static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) { diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index cb2f384f47..f4ef5a0140 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -57,7 +57,7 @@ m4_ifdef(`HAVE_SECCOMP',  $1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context.syscall_archs)  $1.SystemCallErrorNumber,        config_parse_syscall_errno,         0,                             offsetof($1, exec_context)  $1.MemoryDenyWriteExecute,       config_parse_bool,                  0,                             offsetof($1, exec_context.memory_deny_write_execute) -$1.RestrictNamespaces,           config_parse_restrict_namespaces,   0,                             offsetof($1, exec_context.restrict_namespaces) +$1.RestrictNamespaces,           config_parse_restrict_namespaces,   0,                             offsetof($1, exec_context)  $1.RestrictRealtime,             config_parse_bool,                  0,                             offsetof($1, exec_context.restrict_realtime)  $1.RestrictAddressFamilies,      config_parse_address_families,      0,                             offsetof($1, exec_context)',  `$1.SystemCallFilter,            config_parse_warn_compat,           DISABLED_CONFIGURATION,        0 diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 52079980d8..970eed27c1 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3896,7 +3896,6 @@ int config_parse_no_new_privileges(          }          c->no_new_privileges = k; -        c->no_new_privileges_set = true;          return 0;  } diff --git a/src/core/unit.c b/src/core/unit.c index bba0f5d357..da9bb58a52 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -3429,14 +3429,6 @@ int unit_patch_contexts(Unit *u) {                          ec->working_directory_missing_ok = true;                  } -                if (MANAGER_IS_USER(u->manager) && -                    (ec->syscall_whitelist || -                     !set_isempty(ec->syscall_filter) || -                     !set_isempty(ec->syscall_archs) || -                     ec->address_families_whitelist || -                     !set_isempty(ec->address_families))) -                        ec->no_new_privileges = true; -                  if (ec->private_devices)                          ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO)); diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c index 3b8768b9a7..e7b1b1cb20 100644 --- a/src/shared/bus-util.c +++ b/src/shared/bus-util.c @@ -43,6 +43,7 @@  #include "escape.h"  #include "fd-util.h"  #include "missing.h" +#include "nsflags.h"  #include "parse-util.h"  #include "proc-cmdline.h"  #include "rlimit-util.h" @@ -769,6 +770,23 @@ int bus_print_property(const char *name, sd_bus_message *property, bool value, b                          char timespan[FORMAT_TIMESPAN_MAX];                          print_property(name, "%s", format_timespan(timespan, sizeof(timespan), u, 0)); +                } else if (streq(name, "RestrictNamespaces")) { +                        _cleanup_free_ char *s = NULL; +                        const char *result = NULL; + +                        if ((u & NAMESPACE_FLAGS_ALL) == 0) +                                result = "yes"; +                        else if ((u & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL) +                                result = "no"; +                        else { +                                r = namespace_flag_to_string_many(u, &s); +                                if (r < 0) +                                        return r; + +                                result = s; +                        } + +                        print_property(name, "%s", result);                  } else                          print_property(name, "%"PRIu64, u); diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 6029853e3e..b2ea358b8c 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -219,6 +219,18 @@ static void test_exec_systemcallerrornumber(Manager *m) {  #endif  } +static void test_exec_restrict_namespaces(Manager *m) { +#ifdef HAVE_SECCOMP +        if (!is_seccomp_available()) +                return; + +        test(m, "exec-restrict-namespaces-no.service", 0, CLD_EXITED); +        test(m, "exec-restrict-namespaces-yes.service", 1, CLD_EXITED); +        test(m, "exec-restrict-namespaces-mnt.service", 0, CLD_EXITED); +        test(m, "exec-restrict-namespaces-mnt-blacklist.service", 1, CLD_EXITED); +#endif +} +  static void test_exec_systemcall_system_mode_with_user(Manager *m) {  #ifdef HAVE_SECCOMP          if (!is_seccomp_available()) @@ -435,6 +447,7 @@ int main(int argc, char *argv[]) {                  test_exec_privatenetwork,                  test_exec_systemcallfilter,                  test_exec_systemcallerrornumber, +                test_exec_restrict_namespaces,                  test_exec_user,                  test_exec_group,                  test_exec_supplementary_groups, | 
