summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJay Faulkner <jay@jvf.cc>2015-02-04 02:45:50 +0100
committerLennart Poettering <lennart@poettering.net>2015-02-04 13:34:46 +0100
commitd0a0ccf3fecdb422d3fb7ab89646fe9042f11acd (patch)
treebcf30e2e588e220bafd1adc480e36485fbb5bad6
parentshared/capability: don't be too frugal on space for caps (diff)
downloadsystemd-d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd.tar.xz
systemd-d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd.zip
nspawn: Allow module loading if CAP_SYS_MODULE is requested
nspawn containers currently block module loading in all cases, with no option to disable it. This allows an admin, specifically setting capability=CAP_SYS_MODULE or capability=all to load modules.
-rw-r--r--src/nspawn/nspawn.c23
1 files changed, 20 insertions, 3 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 1e6e7bf302..fb672510b4 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2485,15 +2485,18 @@ static int setup_seccomp(void) {
static const int blacklist[] = {
SCMP_SYS(kexec_load),
SCMP_SYS(open_by_handle_at),
- SCMP_SYS(init_module),
- SCMP_SYS(finit_module),
- SCMP_SYS(delete_module),
SCMP_SYS(iopl),
SCMP_SYS(ioperm),
SCMP_SYS(swapon),
SCMP_SYS(swapoff),
};
+ static const int kmod_blacklist[] = {
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ };
+
scmp_filter_ctx seccomp;
unsigned i;
int r;
@@ -2518,6 +2521,20 @@ static int setup_seccomp(void) {
}
}
+ /* If the CAP_SYS_MODULE capability is not requested then
+ * we'll block the kmod syscalls too */
+ if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
+ for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error_errno(r, "Failed to block syscall: %m");
+ goto finish;
+ }
+ }
+ }
+
/*
Audit is broken in containers, much of the userspace audit
hookup will fail if running inside a container. We don't