sys-apps/systemd: nspawn Map seccomp filters to caps

http://cgit.freedesktop.org/systemd/systemd/commit/?id=9a71b1122c6e49dd9227f82b2f53837c7ea13019
2025-08-20 22:11:39 +02:00 · 2015-03-23 16:20:47 -07:00 · 2015-03-23 16:20:47 -07:00 · 1949388f7e
commit 1949388f7e
parent 0693da064c
3 changed files with 95 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
@ -0,0 +1,90 @@
+From 9a71b1122c6e49dd9227f82b2f53837c7ea13019 Mon Sep 17 00:00:00 2001
+From: Jay Faulkner <jay@jvf.cc>
+Date: Fri, 20 Feb 2015 21:59:47 +0000
+Subject: nspawn: Map all seccomp filters to capabilities
+
+This change makes it so all seccomp filters are mapped
+to the appropriate capability and are only added if that
+capability was not requested when running the container.
+
+This unbreaks the remaining use cases broken by the
+addition of seccomp filters without respecting requested
+capabilities.
+
+Co-Authored-By: Clif Houck <me@clifhouck.com>
+
+[zj: - adapt to our coding style, make struct anonymous]
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 8ce5fbe..8833704 100644
+--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
+@@ -2567,19 +2567,19 @@ static int setup_ipvlan(pid_t pid) {
+ static int setup_seccomp(void) {
+ 
+ #ifdef HAVE_SECCOMP
+-        static const int blacklist[] = {
+-                SCMP_SYS(kexec_load),
+-                SCMP_SYS(open_by_handle_at),
+-                SCMP_SYS(iopl),
+-                SCMP_SYS(ioperm),
+-                SCMP_SYS(swapon),
+-                SCMP_SYS(swapoff),
+-        };
+-
+-        static const int kmod_blacklist[] = {
+-                SCMP_SYS(init_module),
+-                SCMP_SYS(finit_module),
+-                SCMP_SYS(delete_module),
+        static const struct {
+                uint64_t capability;
+                int syscall_num;
+        } blacklist[] = {
+                { CAP_SYS_RAWIO,  SCMP_SYS(iopl)},
+                { CAP_SYS_RAWIO,  SCMP_SYS(ioperm)},
+                { CAP_SYS_BOOT,   SCMP_SYS(kexec_load)},
+                { CAP_SYS_ADMIN,  SCMP_SYS(swapon)},
+                { CAP_SYS_ADMIN,  SCMP_SYS(swapoff)},
+                { CAP_SYS_ADMIN,  SCMP_SYS(open_by_handle_at)},
+                { CAP_SYS_MODULE, SCMP_SYS(init_module)},
+                { CAP_SYS_MODULE, SCMP_SYS(finit_module)},
+                { CAP_SYS_MODULE, SCMP_SYS(delete_module)},
+         };
+ 
+         scmp_filter_ctx seccomp;
+@@ -2597,7 +2597,10 @@ static int setup_seccomp(void) {
+         }
+ 
+         for (i = 0; i < ELEMENTSOF(blacklist); i++) {
+-                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
+                if (arg_retain & (1ULL << blacklist[i].capability))
+                        continue;
+
+                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
+                 if (r == -EFAULT)
+                         continue; /* unknown syscall */
+                 if (r < 0) {
+@@ -2606,19 +2609,6 @@ static int setup_seccomp(void) {
+                 }
+         }
+ 
+-        /* If the CAP_SYS_MODULE capability is not requested then
+-         * we'll block the kmod syscalls too */
+-        if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
+-                for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
+-                        r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
+-                        if (r == -EFAULT)
+-                                continue; /* unknown syscall */
+-                        if (r < 0) {
+-                                log_error_errno(r, "Failed to block syscall: %m");
+-                                goto finish;
+-                        }
+-                }
+-        }
+ 
+         /*
+            Audit is broken in containers, much of the userspace audit
+-- 
+cgit v0.10.2
+
+
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
@ -190,6 +190,9 @@ fi
 	epatch "${FILESDIR}"/218-0004-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/218-0005-network-add-UseNTP-DHCP-option.patch

+	# Fix for coreos/bugs #293
+	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
+
 	autotools-utils_src_prepare
 }

--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
@ -186,6 +186,8 @@ fi
 	# Allow timesyncd in VMs, make DHCP provided NTP servers optional
 	epatch "${FILESDIR}"/219-0001-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/219-0002-network-add-UseNTP-DHCP-option.patch
+	# Fix for coreos/bugs #293
+	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch

 	autotools-utils_src_prepare
 }