[systemd-commits] 2 commits - Makefile.am man/systemd.exec.xml src/core src/nspawn src/shared
Lennart Poettering
lennart at kemper.freedesktop.org
Tue Feb 18 22:14:37 CET 2014
Makefile.am | 42 +++++++++++++++++++++++++++++++++---------
man/systemd.exec.xml | 22 ++++------------------
src/core/execute.c | 18 ++++++++++++++----
src/nspawn/nspawn.c | 10 ++++++++++
src/shared/seccomp-util.c | 26 ++++++++++++++++++++++++++
src/shared/seccomp-util.h | 2 ++
6 files changed, 89 insertions(+), 31 deletions(-)
New commits:
commit e9642be2cce7f5e90406980092a6f71f504a16af
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Feb 18 22:14:00 2014 +0100
seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for
nspawn.
diff --git a/Makefile.am b/Makefile.am
index 83c70a6..1a7f9fb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -196,7 +196,6 @@ AM_CPPFLAGS = \
-I $(top_srcdir)/src/libsystemd/sd-bus \
-I $(top_srcdir)/src/libsystemd/sd-event \
-I $(top_srcdir)/src/libsystemd/sd-rtnl \
- $(SECCOMP_CFLAGS) \
$(OUR_CPPFLAGS)
AM_CFLAGS = $(OUR_CFLAGS)
@@ -771,12 +770,6 @@ nodist_libsystemd_shared_la_SOURCES = \
src/shared/errno-from-name.h \
src/shared/errno-to-name.h
-if HAVE_SECCOMP
-libsystemd_shared_la_SOURCES += \
- src/shared/seccomp-util.h \
- src/shared/seccomp-util.c
-endif
-
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-units.la
@@ -817,6 +810,26 @@ libsystemd_label_la_LIBADD = \
$(SELINUX_LIBS)
# ------------------------------------------------------------------------------
+
+if HAVE_SECCOMP
+
+noinst_LTLIBRARIES += \
+ libsystemd-seccomp.la
+
+libsystemd_seccomp_la_SOURCES = \
+ src/shared/seccomp-util.h \
+ src/shared/seccomp-util.c
+
+libsystemd_seccomp_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(SECCOMP_CFLAGS)
+
+libsystemd_seccomp_la_LIBADD = \
+ $(SECCOMP_LIBS)
+
+endif
+
+# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-logs.la
@@ -999,6 +1012,7 @@ libsystemd_core_la_CFLAGS = \
$(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
+ $(CAP_CFLAGS) \
$(KMOD_CFLAGS) \
$(SECCOMP_CFLAGS) \
-pthread
@@ -1015,8 +1029,13 @@ libsystemd_core_la_LIBADD = \
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
- $(SECCOMP_LIBS) \
- $(KMOD_LIBS)
+ $(KMOD_LIBS) \
+ $(SECCOMP_LIBS)
+
+if HAVE_SECCOMP
+libsystemd_core_la_LIBADD += \
+ libsystemd-seccomp.la
+endif
src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
$(AM_V_at)$(MKDIR_P) $(dir $@)
@@ -1846,6 +1865,10 @@ systemd_nspawn_SOURCES = \
src/core/loopback-setup.c \
src/core/loopback-setup.h
+systemd_nspawn_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(SECCOMP_CFLAGS)
+
systemd_nspawn_LDADD = \
libsystemd-label.la \
libsystemd-capability.la \
@@ -1853,6 +1876,7 @@ systemd_nspawn_LDADD = \
libsystemd-daemon-internal.la \
libudev-internal.la \
libsystemd-shared.la \
+ libsystemd-seccomp.la \
$(SECCOMP_LIBS)
# ------------------------------------------------------------------------------
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 252992b..e82e1f5 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1050,14 +1050,6 @@
<function>write</function> will be
removed from the set.)
</para></listitem>
-
- <para>Note that setting
- <varname>SystemCallFilter=</varname>
- implies a
- <varname>SystemCallArchitectures=</varname>
- setting of <literal>native</literal>
- (see below), unless that option is
- configured otherwise.</para>
</varlistentry>
<varlistentry>
@@ -1099,8 +1091,8 @@
unit. This is an effective way to
disable compatibility with non-native
architectures for processes, for
- example to prohibit execution of 32-bit
- x86 binaries on 64-bit x86-64
+ example to prohibit execution of
+ 32-bit x86 binaries on 64-bit x86-64
systems. The special
<literal>native</literal> identifier
implicitly maps to the native
@@ -1112,14 +1104,8 @@
<literal>native</literal> is included
too. By default, this option is set to
the empty list, i.e. no architecture
- system call filtering is applied. Note
- that configuring a system call filter
- with
- <varname>SystemCallFilter=</varname>
- (above) implies a
- <literal>native</literal> architecture
- list, unless configured
- otherwise.</para></listitem>
+ system call filtering is
+ applied.</para></listitem>
</varlistentry>
</variablelist>
diff --git a/src/core/execute.c b/src/core/execute.c
index be15fb9..4b1177a 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) {
if (!seccomp)
return -ENOMEM;
- SET_FOREACH(id, c->syscall_archs, i) {
- r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
- if (r == -EEXIST)
- continue;
+ if (c->syscall_archs) {
+
+ SET_FOREACH(id, c->syscall_archs, i) {
+ r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+ if (r == -EEXIST)
+ continue;
+ if (r < 0) {
+ seccomp_release(seccomp);
+ return r;
+ }
+ }
+ } else {
+
+ r = seccomp_add_secondary_archs(seccomp);
if (r < 0) {
seccomp_release(seccomp);
return r;
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5a2467d..54f7187 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -79,6 +79,10 @@
#include "rtnl-util.h"
#include "udev-util.h"
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
@@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
if (!seccomp)
return log_oom();
+ r = seccomp_add_secondary_archs(seccomp);
+ if (r < 0 && r != -EEXIST) {
+ log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
-#ifdef __x86_64__
- r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
- if (r < 0 && r != -EEXIST) {
- log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
- goto finish;
- }
-#endif
-
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r));
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ee39cc7..d73a749 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
return 0;
}
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
+
+#if defined(__i386__) || defined(__x86_64__)
+ int r;
+
+ /* Add in all possible secondary archs we are aware of that
+ * this kernel might support. */
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X86);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X32);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+#endif
+
+ return 0;
+
+}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 6b63902..9a51a85 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -24,3 +24,5 @@
const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c);
commit f3d5485b805de60ee71810eeb58e82d44ce24fe1
Author: Dave Reisner <dreisner at archlinux.org>
Date: Tue Feb 18 14:44:14 2014 -0500
nspawn: allow 32-bit chroots from 64-bit hosts
Arch Linux uses nspawn as a container for building packages and needs
to be able to start a 32bit chroot from a 64bit host. 24fb11120756
disrupted this feature when seccomp handling was added.
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 089af07..5a2467d 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1539,6 +1539,14 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
+#ifdef __x86_64__
+ r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
+ if (r < 0 && r != -EEXIST) {
+ log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+#endif
+
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r));
More information about the systemd-commits
mailing list