summaryrefslogtreecommitdiffstats
path: root/src/shared/seccomp-util.c
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2017-10-03 07:20:05 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-10-03 07:20:05 +0200
commit09d3020b0a4da6fcd5f23b93ac327c5619b5f871 (patch)
treefd6140622711194a5a02645b0d69708c85be47aa /src/shared/seccomp-util.c
parentMerge pull request #6940 from poettering/magic-dirs (diff)
downloadsystemd-09d3020b0a4da6fcd5f23b93ac327c5619b5f871.tar.xz
systemd-09d3020b0a4da6fcd5f23b93ac327c5619b5f871.zip
seccomp: remove '@credentials' syscall set (#6958)
This removes the '@credentials' syscall set that was added in commit v234-468-gcd0ddf6f75. Most of these syscalls are so simple that we do not want to filter them. They work on the current calling process, doing only read operations, they do not have a deep kernel path. The problem may only be in 'capget' syscall since it can query arbitrary processes, and used to discover processes, however sending signal 0 to arbitrary processes can be used to discover if a process exists or not. It is unfortunate that Linux allows to query processes of different users. Lets put it now in '@process' syscall set, and later we may add it to a new '@basic-process' set that allows most basic process operations.
Diffstat (limited to 'src/shared/seccomp-util.c')
-rw-r--r--src/shared/seccomp-util.c49
1 files changed, 21 insertions, 28 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 5e78a088e9..a7720c53dc 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -281,8 +281,28 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"futex\0"
"get_robust_list\0"
"get_thread_area\0"
+ "getegid\0"
+ "getegid32\0"
+ "geteuid\0"
+ "geteuid32\0"
+ "getgid\0"
+ "getgid32\0"
+ "getgroups\0"
+ "getgroups32\0"
+ "getpgid\0"
+ "getpgrp\0"
+ "getpid\0"
+ "getppid\0"
+ "getresgid\0"
+ "getresgid32\0"
+ "getresuid\0"
+ "getresuid32\0"
"getrlimit\0" /* make sure processes can query stack size and such */
+ "getsid\0"
+ "gettid\0"
"gettimeofday\0"
+ "getuid\0"
+ "getuid32\0"
"membarrier\0"
"nanosleep\0"
"pause\0"
@@ -333,32 +353,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"vm86\0"
"vm86old\0"
},
- [SYSCALL_FILTER_SET_CREDENTIALS] = {
- .name = "@credentials",
- .help = "Query own process credentials",
- .value =
- "capget\0"
- "getegid\0"
- "getegid32\0"
- "geteuid\0"
- "geteuid32\0"
- "getgid\0"
- "getgid32\0"
- "getgroups\0"
- "getgroups32\0"
- "getpgid\0"
- "getpgrp\0"
- "getpid\0"
- "getppid\0"
- "getresgid\0"
- "getresgid32\0"
- "getresuid\0"
- "getresuid32\0"
- "getsid\0"
- "gettid\0"
- "getuid\0"
- "getuid32\0"
- },
[SYSCALL_FILTER_SET_DEBUG] = {
.name = "@debug",
.help = "Debugging, performance monitoring and tracing functionality",
@@ -645,11 +639,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.help = "Process control, execution, namespaceing operations",
.value =
"arch_prctl\0"
+ "capget\0" /* Able to query arbitrary processes */
"clone\0"
"execveat\0"
"fork\0"
- "getpid\0"
- "getppid\0"
"getrusage\0"
"gettid\0"
"kill\0"