[systemd-commits] src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Wed Feb 4 04:35:30 PST 2015
src/nspawn/nspawn.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
New commits:
commit d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd
Author: Jay Faulkner <jay at jvf.cc>
Date: Tue Feb 3 17:45:50 2015 -0800
nspawn: Allow module loading if CAP_SYS_MODULE is requested
nspawn containers currently block module loading in all cases, with
no option to disable it. This allows an admin, specifically setting
capability=CAP_SYS_MODULE or capability=all to load modules.
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 1e6e7bf..fb67251 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2485,15 +2485,18 @@ static int setup_seccomp(void) {
static const int blacklist[] = {
SCMP_SYS(kexec_load),
SCMP_SYS(open_by_handle_at),
- SCMP_SYS(init_module),
- SCMP_SYS(finit_module),
- SCMP_SYS(delete_module),
SCMP_SYS(iopl),
SCMP_SYS(ioperm),
SCMP_SYS(swapon),
SCMP_SYS(swapoff),
};
+ static const int kmod_blacklist[] = {
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ };
+
scmp_filter_ctx seccomp;
unsigned i;
int r;
@@ -2518,6 +2521,20 @@ static int setup_seccomp(void) {
}
}
+ /* If the CAP_SYS_MODULE capability is not requested then
+ * we'll block the kmod syscalls too */
+ if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
+ for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error_errno(r, "Failed to block syscall: %m");
+ goto finish;
+ }
+ }
+ }
+
/*
Audit is broken in containers, much of the userspace audit
hookup will fail if running inside a container. We don't
More information about the systemd-commits
mailing list