exec: imply NoNewPriviliges= only when seccomp filters are used in user mode

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 413d81d330f1e6f93fc0f07512284786c6a626ef..9224f1ef3d5e38afcb6e2d83b4fc08f3a1f24244 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1010,8 +1010,8 @@
                         <varlistentry>
                                 <term><varname>SystemCallFilter=</varname></term>
 
-                                <listitem><para>Takes a space-separated
-                                list of system call
+                                <listitem><para>Takes a
+                                space-separated list of system call
                                 names. If this setting is used, all
                                 system calls executed by the unit
                                 processes except for the listed ones
@@ -1023,12 +1023,13 @@
                                 the effect is inverted: only the
                                 listed system calls will result in
                                 immediate process termination
-                                (blacklisting). If this option is used,
+                                (blacklisting). If running in user
+                                mode and this option is used,
                                 <varname>NoNewPrivileges=yes</varname>
-                                is implied. This feature makes use of
-                                the Secure Computing Mode 2 interfaces
-                                of the kernel ('seccomp filtering')
-                                and is useful for enforcing a minimal
+                                is implied. This feature makes use of the
+                                Secure Computing Mode 2 interfaces of
+                                the kernel ('seccomp filtering') and
+                                is useful for enforcing a minimal
                                 sandboxing environment. Note that the
                                 <function>execve</function>,
                                 <function>rt_sigreturn</function>,
@@ -1096,28 +1097,31 @@
                                 <constant>x86</constant>,
                                 <constant>x86-64</constant>,
                                 <constant>x32</constant>,
-                                <constant>arm</constant> as well as the
-                                special identifier
-                                <constant>native</constant>. Only system
-                                calls of the specified architectures
-                                will be permitted to processes of this
-                                unit. This is an effective way to
-                                disable compatibility with non-native
-                                architectures for processes, for
-                                example to prohibit execution of
-                                32-bit x86 binaries on 64-bit x86-64
-                                systems. The special
+                                <constant>arm</constant> as well as
+                                the special identifier
+                                <constant>native</constant>. Only
+                                system calls of the specified
+                                architectures will be permitted to
+                                processes of this unit. This is an
+                                effective way to disable compatibility
+                                with non-native architectures for
+                                processes, for example to prohibit
+                                execution of 32-bit x86 binaries on
+                                64-bit x86-64 systems. The special
                                 <constant>native</constant> identifier
                                 implicitly maps to the native
                                 architecture of the system (or more
                                 strictly: to the architecture the
-                                system manager is compiled for). Note
-                                that setting this option to a
-                                non-empty list implies that
-                                <constant>native</constant> is included
-                                too. By default, this option is set to
-                                the empty list, i.e. no architecture
-                                system call filtering is
+                                system manager is compiled for). If
+                                running in user mode and this option
+                                is used,
+                                <varname>NoNewPrivileges=yes</varname>
+                                is implied. Note that setting this
+                                option to a non-empty list implies
+                                that <constant>native</constant> is
+                                included too. By default, this option
+                                is set to the empty list, i.e. no
+                                architecture system call filtering is
                                 applied.</para></listitem>
                         </varlistentry>
 
@@ -1149,7 +1153,10 @@
                                 sockets only) are unaffected. Note
                                 that this option has no effect on
                                 32bit x86 and is ignored (but works
-                                correctly on x86-64). By default no
+                                correctly on x86-64). If running in user
+                                mode and this option is used,
+                                <varname>NoNewPrivileges=yes</varname>
+                                is implied. By default no
                                 restriction applies, all address
                                 families are accessible to
                                 processes. If assigned the empty

diff --git a/src/core/execute.c b/src/core/execute.c
index fff25c2b236b9c96dafe8232a507a126d7974502..9de6e8726f2c42ac05e6a855cc29dadac13016d0 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1706,7 +1706,8 @@ int exec_spawn(ExecCommand *command,
                                 }
 
 #ifdef HAVE_SECCOMP
-                        if (context->address_families) {
+                        if (context->address_families_whitelist ||
+                            !set_isempty(context->address_families)) {
                                 err = apply_address_families(context);
                                 if (err < 0) {
                                         r = EXIT_ADDRESS_FAMILIES;
@@ -1714,7 +1715,9 @@ int exec_spawn(ExecCommand *command,
                                 }
                         }
 
-                        if (context->syscall_filter || context->syscall_archs) {
+                        if (context->syscall_whitelist ||
+                            !set_isempty(context->syscall_filter) ||
+                            !set_isempty(context->syscall_archs)) {
                                 err = apply_seccomp(context);
                                 if (err < 0) {
                                         r = EXIT_SECCOMP;

diff --git a/src/core/unit.c b/src/core/unit.c
index 9d54147adb7e52718aa0f67c032e67845c1a5f7a..05470739d289a20e7023c0f28fa93d9cd28cbba8 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2817,6 +2817,14 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
                         return r;
         }
 
+        if (u->manager->running_as == SYSTEMD_USER &&
+            (c->syscall_whitelist ||
+             !set_isempty(c->syscall_filter) ||
+             !set_isempty(c->syscall_archs) ||
+             c->address_families_whitelist ||
+             !set_isempty(c->address_families)))
+                c->no_new_privileges = true;
+
         return 0;
 }