From 502d704e5ed2d288069471f4e3611115cde107d6 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Wed, 12 Oct 2016 13:31:21 +0200
Subject: core:sandbox: Add ProtectKernelModules= option

This is useful to turn off explicit module load and unload operations on modular
kernels. This option removes CAP_SYS_MODULE from the capability bounding set for
the unit, and installs a system call filter to block module system calls.

This option will not prevent the kernel from loading modules using the module
auto-load feature which is a system wide operation.
---
 src/core/unit.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/core/unit.c')

diff --git a/src/core/unit.c b/src/core/unit.c
index 690f7f7dd9..71f95c0b96 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3401,6 +3401,9 @@ int unit_patch_contexts(Unit *u) {
                 if (ec->private_devices)
                         ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD);
 
+                if (ec->protect_kernel_modules)
+                        ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);
+
                 if (ec->dynamic_user) {
                         if (!ec->user) {
                                 r = user_from_unit_name(u, &ec->user);
-- 
cgit v1.2.3-54-g00ecf


From 2cd0a735470894bd2d25147442285744764633a1 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Fri, 7 Oct 2016 20:38:05 +0200
Subject: core:sandbox: remove CAP_SYS_RAWIO on PrivateDevices=yes

The rawio system calls were filtered, but CAP_SYS_RAWIO allows to access raw
data through /proc, ioctl and some other exotic system calls...
---
 man/systemd.exec.xml | 4 ++--
 src/core/unit.c      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/core/unit.c')

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3bea4976b3..c46c0f6dd8 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -946,8 +946,8 @@
         <filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
         executed process. Defaults to false. Enabling this option will install a system call filter to block low-level
         I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove
-        <constant>CAP_MKNOD</constant> from the capability bounding set for the unit (see above), and set
-        <varname>DevicePolicy=closed</varname> (see
+        <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for
+        the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
         for details). Note that using this setting will disconnect propagation of mounts from the service to the host
         (propagation in the opposite direction continues to work).  This means that this setting may not be used for
diff --git a/src/core/unit.c b/src/core/unit.c
index 71f95c0b96..67668bdc48 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3399,7 +3399,7 @@ int unit_patch_contexts(Unit *u) {
                         ec->no_new_privileges = true;
 
                 if (ec->private_devices)
-                        ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD);
+                        ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO));
 
                 if (ec->protect_kernel_modules)
                         ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);
-- 
cgit v1.2.3-54-g00ecf