Merge pull request #1158 from jayofdoom/jay/CoreOSBug293

sys-apps/systemd: nspawn Map seccomp filters to caps
2025-08-21 14:31:02 +02:00 · 2015-03-23 18:13:06 -07:00 · 2015-03-23 18:13:06 -07:00 · c323a142fa
commit c323a142fa
parent 0693da064c 1949388f7e
3 changed files with 95 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
@ -0,0 +1,90 @@
 From 9a71b1122c6e49dd9227f82b2f53837c7ea13019 Mon Sep 17 00:00:00 2001
 From: Jay Faulkner <jay@jvf.cc>
 Date: Fri, 20 Feb 2015 21:59:47 +0000
 Subject: nspawn: Map all seccomp filters to capabilities
 This change makes it so all seccomp filters are mapped
 to the appropriate capability and are only added if that
 capability was not requested when running the container.
 This unbreaks the remaining use cases broken by the
 addition of seccomp filters without respecting requested
 capabilities.
 Co-Authored-By: Clif Houck <me@clifhouck.com>
 [zj: - adapt to our coding style, make struct anonymous]
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
 index 8ce5fbe..8833704 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
@@ -2567,19 +2567,19 @@ static int setup_ipvlan(pid_t pid) {
 static int setup_seccomp(void) {
 #ifdef HAVE_SECCOMP
 -        static const int blacklist[] = {
 -                SCMP_SYS(kexec_load),
 -                SCMP_SYS(open_by_handle_at),
 -                SCMP_SYS(iopl),
 -                SCMP_SYS(ioperm),
 -                SCMP_SYS(swapon),
 -                SCMP_SYS(swapoff),
 -        };
 -
 -        static const int kmod_blacklist[] = {
 -                SCMP_SYS(init_module),
 -                SCMP_SYS(finit_module),
 -                SCMP_SYS(delete_module),
 +        static const struct {
 +                uint64_t capability;
 +                int syscall_num;
 +        } blacklist[] = {
 +                { CAP_SYS_RAWIO,  SCMP_SYS(iopl)},
 +                { CAP_SYS_RAWIO,  SCMP_SYS(ioperm)},
 +                { CAP_SYS_BOOT,   SCMP_SYS(kexec_load)},
 +                { CAP_SYS_ADMIN,  SCMP_SYS(swapon)},
 +                { CAP_SYS_ADMIN,  SCMP_SYS(swapoff)},
 +                { CAP_SYS_ADMIN,  SCMP_SYS(open_by_handle_at)},
 +                { CAP_SYS_MODULE, SCMP_SYS(init_module)},
 +                { CAP_SYS_MODULE, SCMP_SYS(finit_module)},
 +                { CAP_SYS_MODULE, SCMP_SYS(delete_module)},
         };
         scmp_filter_ctx seccomp;
@@ -2597,7 +2597,10 @@ static int setup_seccomp(void) {
         }
         for (i = 0; i < ELEMENTSOF(blacklist); i++) {
 -                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
 +                if (arg_retain & (1ULL << blacklist[i].capability))
 +                        continue;
 +
 +                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
                 if (r == -EFAULT)
                         continue; /* unknown syscall */
                 if (r < 0) {
@@ -2606,19 +2609,6 @@ static int setup_seccomp(void) {
                 }
         }
 -        /* If the CAP_SYS_MODULE capability is not requested then
 -         * we'll block the kmod syscalls too */
 -        if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
 -                for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
 -                        r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
 -                        if (r == -EFAULT)
 -                                continue; /* unknown syscall */
 -                        if (r < 0) {
 -                                log_error_errno(r, "Failed to block syscall: %m");
 -                                goto finish;
 -                        }
 -                }
 -        }
         /*
            Audit is broken in containers, much of the userspace audit
 -- 
 cgit v0.10.2
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
@ -190,6 +190,9 @@ fi
 	epatch "${FILESDIR}"/218-0004-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/218-0005-network-add-UseNTP-DHCP-option.patch
 	# Fix for coreos/bugs #293
 	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
 	autotools-utils_src_prepare
 }
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
@ -186,6 +186,8 @@ fi
 	# Allow timesyncd in VMs, make DHCP provided NTP servers optional
 	epatch "${FILESDIR}"/219-0001-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/219-0002-network-add-UseNTP-DHCP-option.patch
 	# Fix for coreos/bugs #293
 	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
 	autotools-utils_src_prepare
 }