From d347d9029c7ec6b30eaaab93649105d935061b55 Mon Sep 17 00:00:00 2001
From: Felipe Sateler <fsateler@debian.org>
Date: Wed, 31 Aug 2016 10:00:35 -0300
Subject: seccomp: also detect if seccomp filtering is enabled

In https://github.com/systemd/systemd/pull/4004 , a runtime detection
method for seccomp was added. However, it does not detect the case
where CONFIG_SECCOMP=y but CONFIG_SECCOMP_FILTER=n. This is possible
if the architecture does not support filtering yet.
Add a check for that case too.

While at it, change get_proc_field usage to use PR_GET_SECCOMP prctl,
as that should save a few system calls and (unnecessary) allocations.
Previously, reading of /proc/self/stat was done as recommended by
prctl(2) as safer. However, given that we need to do the prctl call
anyway, lets skip opening, reading and parsing the file.

Code for checking inspired by
https://outflux.net/teach-seccomp/autodetect.html
---
 src/core/execute.c        |  2 +-
 src/shared/seccomp-util.c | 19 +++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index 55f15d7e49..2026137721 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1077,7 +1077,7 @@ static void rename_process_from_path(const char *path) {
 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
         if (!is_seccomp_available()) {
                 log_open();
-                log_unit_debug(u, "SECCOMP not detected in the kernel, skipping %s", msg);
+                log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
                 log_close();
                 return true;
         }
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 6c489284d1..2f42381fc1 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -20,9 +20,9 @@
 #include <errno.h>
 #include <seccomp.h>
 #include <stddef.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
 
-#include "alloc-util.h"
-#include "fileio.h"
 #include "macro.h"
 #include "seccomp-util.h"
 #include "string-util.h"
@@ -91,11 +91,22 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
 
 }
 
+static bool is_basic_seccomp_available(void) {
+        int r;
+        r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
+        return r >= 0;
+}
+
+static bool is_seccomp_filter_available(void) {
+        int r;
+        r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+        return r < 0 && errno == EFAULT;
+}
+
 bool is_seccomp_available(void) {
-        _cleanup_free_ char* field = NULL;
         static int cached_enabled = -1;
         if (cached_enabled < 0)
-                cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
+                cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
         return cached_enabled;
 }
 
-- 
cgit v1.2.3-54-g00ecf


From 1cec406d62f00a7642c94834010a60548ae99d96 Mon Sep 17 00:00:00 2001
From: Felipe Sateler <fsateler@gmail.com>
Date: Tue, 6 Sep 2016 20:25:22 -0300
Subject: nspawn: detect SECCOMP availability, skip audit filter if unavailable

Fail hard if SECCOMP was detected but could not be installed
---
 src/nspawn/nspawn-seccomp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 3ab7160ebe..44a0b397ab 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -130,6 +130,11 @@ int setup_seccomp(uint64_t cap_list_retain) {
         scmp_filter_ctx seccomp;
         int r;
 
+        if (!is_seccomp_available()) {
+                log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter");
+                return 0;
+        }
+
         seccomp = seccomp_init(SCMP_ACT_ALLOW);
         if (!seccomp)
                 return log_oom();
@@ -173,11 +178,6 @@ int setup_seccomp(uint64_t cap_list_retain) {
         }
 
         r = seccomp_load(seccomp);
-        if (r == -EINVAL) {
-                log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
-                r = 0;
-                goto finish;
-        }
         if (r < 0) {
                 log_error_errno(r, "Failed to install seccomp audit filter: %m");
                 goto finish;
-- 
cgit v1.2.3-54-g00ecf


From fd74fa791f95433ac52520764b67e6fb4bda2c0e Mon Sep 17 00:00:00 2001
From: Felipe Sateler <fsateler@gmail.com>
Date: Mon, 5 Sep 2016 19:16:13 -0300
Subject: README: document that CONFIG_SECCOMP_FILTER is required for SECCOMP
 support

---
 README | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README b/README
index 19c15a70b0..fb6fd6381b 100644
--- a/README
+++ b/README
@@ -79,6 +79,7 @@ REQUIREMENTS:
           CONFIG_TMPFS_XATTR
           CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL
           CONFIG_SECCOMP
+          CONFIG_SECCOMP_FILTER (required for seccomp support)
           CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
 
         Required for CPUShares= in resource control unit settings
-- 
cgit v1.2.3-54-g00ecf