seccomp: add helper call to add all secondary archs to a seccomp filter

And make use of it where appropriate for executing services and for
nspawn.

diff --git a/Makefile.am b/Makefile.am
index 83c70a63e2890d27cf89eb9d765a967979a373ae..1a7f9fb5b050cadb02fa3bc24077c8c12c4d5d37 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -196,7 +196,6 @@ AM_CPPFLAGS = \
        -I $(top_srcdir)/src/libsystemd/sd-bus \
        -I $(top_srcdir)/src/libsystemd/sd-event \
        -I $(top_srcdir)/src/libsystemd/sd-rtnl \
        -I $(top_srcdir)/src/libsystemd/sd-bus \
        -I $(top_srcdir)/src/libsystemd/sd-event \
        -I $(top_srcdir)/src/libsystemd/sd-rtnl \

-       $(SECCOMP_CFLAGS) \

        $(OUR_CPPFLAGS)
 
 AM_CFLAGS = $(OUR_CFLAGS)
        $(OUR_CPPFLAGS)
 
 AM_CFLAGS = $(OUR_CFLAGS)


@@ -771,12 +770,6 @@ nodist_libsystemd_shared_la_SOURCES = \
        src/shared/errno-from-name.h \
        src/shared/errno-to-name.h
 
        src/shared/errno-from-name.h \
        src/shared/errno-to-name.h
 

-if HAVE_SECCOMP
-libsystemd_shared_la_SOURCES += \
-       src/shared/seccomp-util.h \
-       src/shared/seccomp-util.c
-endif
-

 # ------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
        libsystemd-units.la
 # ------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
        libsystemd-units.la


@@ -816,6 +809,26 @@ libsystemd_label_la_CFLAGS = \
 libsystemd_label_la_LIBADD = \
        $(SELINUX_LIBS)
 
 libsystemd_label_la_LIBADD = \
        $(SELINUX_LIBS)
 

+# ------------------------------------------------------------------------------
+
+if HAVE_SECCOMP
+
+noinst_LTLIBRARIES += \
+       libsystemd-seccomp.la
+
+libsystemd_seccomp_la_SOURCES = \
+       src/shared/seccomp-util.h \
+       src/shared/seccomp-util.c
+
+libsystemd_seccomp_la_CFLAGS = \
+       $(AM_CFLAGS) \
+       $(SECCOMP_CFLAGS)
+
+libsystemd_seccomp_la_LIBADD = \
+       $(SECCOMP_LIBS)
+
+endif
+

 # ------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
        libsystemd-logs.la
 # ------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
        libsystemd-logs.la


@@ -999,6 +1012,7 @@ libsystemd_core_la_CFLAGS = \
        $(LIBWRAP_CFLAGS) \
        $(PAM_CFLAGS) \
        $(AUDIT_CFLAGS) \
        $(LIBWRAP_CFLAGS) \
        $(PAM_CFLAGS) \
        $(AUDIT_CFLAGS) \

+       $(CAP_CFLAGS) \

        $(KMOD_CFLAGS) \
        $(SECCOMP_CFLAGS) \
        -pthread
        $(KMOD_CFLAGS) \
        $(SECCOMP_CFLAGS) \
        -pthread


@@ -1015,8 +1029,13 @@ libsystemd_core_la_LIBADD = \
        $(PAM_LIBS) \
        $(AUDIT_LIBS) \
        $(CAP_LIBS) \
        $(PAM_LIBS) \
        $(AUDIT_LIBS) \
        $(CAP_LIBS) \

-       $(SECCOMP_LIBS) \
-       $(KMOD_LIBS)
+       $(KMOD_LIBS) \
+       $(SECCOMP_LIBS)
+
+if HAVE_SECCOMP
+libsystemd_core_la_LIBADD += \
+       libsystemd-seccomp.la
+endif

 
 src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
        $(AM_V_at)$(MKDIR_P) $(dir $@)
 
 src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
        $(AM_V_at)$(MKDIR_P) $(dir $@)


@@ -1846,6 +1865,10 @@ systemd_nspawn_SOURCES = \
        src/core/loopback-setup.c \
        src/core/loopback-setup.h
 
        src/core/loopback-setup.c \
        src/core/loopback-setup.h
 

+systemd_nspawn_CFLAGS = \
+       $(AM_CFLAGS) \
+       $(SECCOMP_CFLAGS)
+

 systemd_nspawn_LDADD = \
        libsystemd-label.la \
        libsystemd-capability.la \
 systemd_nspawn_LDADD = \
        libsystemd-label.la \
        libsystemd-capability.la \


@@ -1853,6 +1876,7 @@ systemd_nspawn_LDADD = \
        libsystemd-daemon-internal.la \
        libudev-internal.la \
        libsystemd-shared.la \
        libsystemd-daemon-internal.la \
        libudev-internal.la \
        libsystemd-shared.la \

+       libsystemd-seccomp.la \

        $(SECCOMP_LIBS)
 
 # ------------------------------------------------------------------------------
        $(SECCOMP_LIBS)
 
 # ------------------------------------------------------------------------------

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 252992bc600e1516c020ca74c211894060aa4b51..e82e1f59f0ec87d6fa4c56849175558c6177aef8 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1050,14 +1050,6 @@
                                 <function>write</function> will be
                                 removed from the set.)
                                 </para></listitem>
                                 <function>write</function> will be
                                 removed from the set.)
                                 </para></listitem>

-
-                                <para>Note that setting
-                                <varname>SystemCallFilter=</varname>
-                                implies a
-                                <varname>SystemCallArchitectures=</varname>
-                                setting of <literal>native</literal>
-                                (see below), unless that option is
-                                configured otherwise.</para>

                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>


@@ -1099,8 +1091,8 @@
                                 unit. This is an effective way to
                                 disable compatibility with non-native
                                 architectures for processes, for
                                 unit. This is an effective way to
                                 disable compatibility with non-native
                                 architectures for processes, for

-                                example to prohibit execution of 32-bit
-                                x86 binaries on 64-bit x86-64
+                                example to prohibit execution of
+                                32-bit x86 binaries on 64-bit x86-64

                                 systems. The special
                                 <literal>native</literal> identifier
                                 implicitly maps to the native
                                 systems. The special
                                 <literal>native</literal> identifier
                                 implicitly maps to the native


@@ -1112,14 +1104,8 @@
                                 <literal>native</literal> is included
                                 too. By default, this option is set to
                                 the empty list, i.e. no architecture
                                 <literal>native</literal> is included
                                 too. By default, this option is set to
                                 the empty list, i.e. no architecture

-                                system call filtering is applied. Note
-                                that configuring a system call filter
-                                with
-                                <varname>SystemCallFilter=</varname>
-                                (above) implies a
-                                <literal>native</literal> architecture
-                                list, unless configured
-                                otherwise.</para></listitem>
+                                system call filtering is
+                                applied.</para></listitem>

                         </varlistentry>
 
                 </variablelist>
                         </varlistentry>
 
                 </variablelist>

diff --git a/src/core/execute.c b/src/core/execute.c
index be15fb95eea99dc7870ce35a10d3789320278311..4b1177a7e5eb5eb198ecb333215c1c72c1223d08 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) {
         if (!seccomp)
                 return -ENOMEM;
 
         if (!seccomp)
                 return -ENOMEM;
 

-        SET_FOREACH(id, c->syscall_archs, i) {
-                r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
-                if (r == -EEXIST)
-                        continue;
+        if (c->syscall_archs) {
+
+                SET_FOREACH(id, c->syscall_archs, i) {
+                        r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+                        if (r == -EEXIST)
+                                continue;
+                        if (r < 0) {
+                                seccomp_release(seccomp);
+                                return r;
+                        }
+                }
+        } else {
+
+                r = seccomp_add_secondary_archs(seccomp);

                 if (r < 0) {
                         seccomp_release(seccomp);
                         return r;
                 if (r < 0) {
                         seccomp_release(seccomp);
                         return r;

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5a2467d6e2e7b302fd884b4f220ff65006929af2..54f71877542538507a571068348473e0f22fc399 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -79,6 +79,10 @@
 #include "rtnl-util.h"
 #include "udev-util.h"
 
 #include "rtnl-util.h"
 #include "udev-util.h"
 

+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+

 typedef enum LinkJournal {
         LINK_NO,
         LINK_AUTO,
 typedef enum LinkJournal {
         LINK_NO,
         LINK_AUTO,


@@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
         if (!seccomp)
                 return log_oom();
 
         if (!seccomp)
                 return log_oom();
 

+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0 && r != -EEXIST) {
+                log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+                goto finish;
+        }
+

         r = seccomp_rule_add_exact(
                         seccomp,
                         SCMP_ACT_ERRNO(EAFNOSUPPORT),
         r = seccomp_rule_add_exact(
                         seccomp,
                         SCMP_ACT_ERRNO(EAFNOSUPPORT),


@@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
                 goto finish;
         }
 
                 goto finish;
         }
 

-#ifdef __x86_64__
-        r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
-        if (r < 0 && r != -EEXIST) {
-                log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
-                goto finish;
-        }
-#endif
-

         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to install seccomp audit filter: %s", strerror(-r));

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ee39cc7c1d296c6e4325338dcbd71fff62725479..d73a74912e385385c8ad808cb61a0835a380d9f8 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
 
         return 0;
 }
 
         return 0;
 }

+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
+
+#if defined(__i386__) || defined(__x86_64__)
+        int r;
+
+        /* Add in all possible secondary archs we are aware of that
+         * this kernel might support. */
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X32);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+#endif
+
+        return 0;
+
+}

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 6b63902f5df48b8a402be79a48230febcccef476..9a51a85b49c0ba86af8a3a4b13a02c1d02b72e1a 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -24,3 +24,5 @@
 
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
 
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);

+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c);