Skip to content

nspawn seccomp improvements #6798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
poettering merged 5 commits into from
Sep 13, 2017
Merged

nspawn seccomp improvements #6798

poettering merged 5 commits into from
Sep 13, 2017

Conversation

@poettering
Copy link
Member

@poettering poettering commented Sep 11, 2017

A number of clean-ups for the nspawn seccomp code, all leading up to a fix for #5163. This includes an alternative (but more comprehensive) to #5944 which appears to have stalled.

@poettering
seccomp: drop default_action parameter from seccomp_add_syscall_filte…
12dc378 
…r_set()

The function doesn't actually use the parameter, hence let's drop it.
@poettering
seccomp: split out inner loop code of seccomp_add_syscall_filter_set()
69b1b24 
Let's add a new helper function seccomp_add_syscall_filter_item() that
contains the inner loop code of seccomp_add_syscall_filter_set(). This
helper function we can then export and make use of elsewhere.
@poettering
nspawn: part over seccomp code to use seccomp_add_syscall_filter_item()
402530d 
Let's unify a bit of the code here.
@poettering
nspawn: replace homegrown seccomp filter table largely with reference…
7609340 
…s to the existing syscall groups

Let's shorten the table, now that we are hooked up to the syscall group
system.
@poettering poettering mentioned this pull request Sep 11, 2017
Closed
robertgzr
robertgzr reviewed Sep 11, 2017
View reviewed changes
man/systemd-nspawn.xml
<command>syscall-filter</command> command of <citerefentry
project='man-pages'><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed
system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all
listed system calls are prohibited. If this command line option is used multiple times the configured lists are
Copy link

@robertgzr robertgzr Sep 11, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/whit/with ^^

Copy link
Member Author

@poettering poettering Sep 12, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, fixed in a new force pushed version

@poettering
nspawn: implement configurable syscall whitelisting/blacklisting
960e456 
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.

This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.

(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)

Fixes: systemd#5163

Replaces: systemd#5944
@poettering
Copy link
Member Author

poettering commented Sep 13, 2017

btw, @robertgzr, @alban, @iaguis, a proper review would be very welcome, so that we can merge this, hint hint ;-)

@robertgzr
Copy link

robertgzr commented Sep 13, 2017

Just a question:
In my PR I did all of the filter building on the nspawn side, mostly using what was already there in seccomp-util.h
Are there other parts that might want to use the new functions that "add and item but not if its on the list"?
Wouldn't it be enough if we have https://github.com/systemd/systemd/pull/6798/files#diff-faada5f6c6f6cdddf9d615abc5df9754R72 without the exclude, to just add single items to the seccomp filter and then do the filtering outside?

@poettering
Copy link
Member Author

poettering commented Sep 13, 2017

@robertgzr not sure i grok the question, but do note that the way this is implemented now the "exclude" strv is not just applied to the "top-level" list, but also individually to each syscall list that syscall groups map to.

@robertgzr
Copy link

robertgzr commented Sep 13, 2017

@poettering I guess it's just a question of where you put more code^^ in nspawn or in seccomp-util, that's what I was asking.

@poettering
Copy link
Member Author

poettering commented Sep 13, 2017

@poettering I guess it's just a question of where you put more code^^ in nspawn or in seccomp-util, that's what I was asking.

well, that really depends. Usually as long as something only has a single consumer indeed the best place is to do it in the consumer, not in the generic library code. But then again, it's a blurry line, and sometimes things are genericly useful enough to do them in the generic library code...

@poettering
Copy link
Member Author

poettering commented Sep 13, 2017

thanks for the review!

@poettering poettering merged commit 44a5113 into systemd:master Sep 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@robertgzr robertgzr robertgzr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

nspawn seccomp

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@poettering @robertgzr