From: Jay Faulkner Date: Wed, 4 Feb 2015 01:45:50 +0000 (-0800) Subject: nspawn: Allow module loading if CAP_SYS_MODULE is requested X-Git-Tag: v219~151 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd;ds=sidebyside nspawn: Allow module loading if CAP_SYS_MODULE is requested nspawn containers currently block module loading in all cases, with no option to disable it. This allows an admin, specifically setting capability=CAP_SYS_MODULE or capability=all to load modules. --- diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1e6e7bf30..fb672510b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2485,15 +2485,18 @@ static int setup_seccomp(void) { static const int blacklist[] = { SCMP_SYS(kexec_load), SCMP_SYS(open_by_handle_at), - SCMP_SYS(init_module), - SCMP_SYS(finit_module), - SCMP_SYS(delete_module), SCMP_SYS(iopl), SCMP_SYS(ioperm), SCMP_SYS(swapon), SCMP_SYS(swapoff), }; + static const int kmod_blacklist[] = { + SCMP_SYS(init_module), + SCMP_SYS(finit_module), + SCMP_SYS(delete_module), + }; + scmp_filter_ctx seccomp; unsigned i; int r; @@ -2518,6 +2521,20 @@ static int setup_seccomp(void) { } } + /* If the CAP_SYS_MODULE capability is not requested then + * we'll block the kmod syscalls too */ + if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) { + for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) { + r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0); + if (r == -EFAULT) + continue; /* unknown syscall */ + if (r < 0) { + log_error_errno(r, "Failed to block syscall: %m"); + goto finish; + } + } + } + /* Audit is broken in containers, much of the userspace audit hookup will fail if running inside a container. We don't