From 620dbdd2489515696d53b90c061208b43b65aafa Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Mon, 4 Nov 2019 17:17:01 -0800 Subject: [PATCH] shared: Add ProtectKernelLogs property Add seccomp_protect_syslog, which adds a filter rule for the syslog system call. --- src/shared/bus-unit-util.c | 4 ++-- src/shared/seccomp-util.c | 32 ++++++++++++++++++++++++++++++++ src/shared/seccomp-util.h | 1 + 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index c9f352f..29dd89d 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -818,8 +818,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con "PrivateDevices", "PrivateNetwork", "PrivateUsers", "PrivateMounts", "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime", "DynamicUser", "RemoveIPC", "ProtectKernelTunables", "ProtectKernelModules", - "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality", - "ProtectHostname", "RestrictSUIDSGID")) + "ProtectKernelLogs", "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", + "LockPersonality", "ProtectHostname", "RestrictSUIDSGID")) return bus_append_parse_boolean(m, field, eq); if (STR_IN_SET(field, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 22110d0..bd4f004 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1281,6 +1281,38 @@ int seccomp_protect_sysctl(void) { return 0; } +int seccomp_protect_syslog(void) { + uint32_t arch; + int r; + + SECCOMP_FOREACH_LOCAL_ARCH(arch) { + _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; + + r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); + if (r < 0) + return r; + + r = seccomp_rule_add_exact( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(syslog), + 0); + + if (r < 0) { + log_debug_errno(r, "Failed to add syslog() rule for architecture %s, skipping %m", seccomp_arch_to_string(arch)); + continue; + } + + r = seccomp_load(seccomp); + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch)); + } + + return 0; +} + int seccomp_restrict_address_families(Set *address_families, bool whitelist) { uint32_t arch; int r; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index b29082a..0b48e74 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -82,6 +82,7 @@ int seccomp_parse_syscall_filter( int seccomp_restrict_archs(Set *archs); int seccomp_restrict_namespaces(unsigned long retain); int seccomp_protect_sysctl(void); +int seccomp_protect_syslog(void); int seccomp_restrict_address_families(Set *address_families, bool whitelist); int seccomp_restrict_realtime(void); int seccomp_memory_deny_write_execute(void); -- 2.7.4