From 94a7b2759d39fcfed1381ac324cc24a83ec4d1be Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Sun, 10 Nov 2019 01:17:01 -0800 Subject: [PATCH] core: ProtectKernelLogs= mask kmsg in proc and sys Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set. --- src/core/execute.c | 2 ++ src/core/namespace.c | 15 ++++++++++++++- src/core/namespace.h | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/core/execute.c b/src/core/execute.c index 89c485a..8ab4b18 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1872,6 +1872,7 @@ static bool exec_needs_mount_namespace( context->protect_home != PROTECT_HOME_NO || context->protect_kernel_tunables || context->protect_kernel_modules || + context->protect_kernel_logs || context->protect_control_groups) return true; @@ -2507,6 +2508,7 @@ static int apply_mount_namespace( .protect_control_groups = context->protect_control_groups, .protect_kernel_tunables = context->protect_kernel_tunables, .protect_kernel_modules = context->protect_kernel_modules, + .protect_kernel_logs = context->protect_kernel_logs, .protect_hostname = context->protect_hostname, .mount_apivfs = context->mount_apivfs, .private_mounts = context->private_mounts, diff --git a/src/core/namespace.c b/src/core/namespace.c index df0455b..bbb3724 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -109,6 +109,12 @@ static const MountEntry protect_kernel_modules_table[] = { { "/usr/lib/modules", INACCESSIBLE, true }, }; +/* ProtectKernelLogs= option */ +static const MountEntry protect_kernel_logs_table[] = { + { "/proc/kmsg", INACCESSIBLE, true }, + { "/dev/kmsg", INACCESSIBLE, true }, +}; + /* * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of * system should be protected by ProtectSystem= @@ -1147,8 +1153,9 @@ static size_t namespace_calculate_mounts( n_temporary_filesystems + ns_info->private_dev + (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + - (ns_info->protect_control_groups ? 1 : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + + (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) + + (ns_info->protect_control_groups ? 1 : 0) + protect_home_cnt + protect_system_cnt + (ns_info->protect_hostname ? 2 : 0) + (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0); @@ -1319,6 +1326,12 @@ int setup_namespace( goto finish; } + if (ns_info->protect_kernel_logs) { + r = append_static_mounts(&m, protect_kernel_logs_table, ELEMENTSOF(protect_kernel_logs_table), ns_info->ignore_protect_paths); + if (r < 0) + goto finish; + } + if (ns_info->protect_control_groups) { *(m++) = (MountEntry) { .path_const = "/sys/fs/cgroup", diff --git a/src/core/namespace.h b/src/core/namespace.h index e5cd8e5..60a6abc 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -51,6 +51,7 @@ struct NamespaceInfo { bool protect_control_groups:1; bool protect_kernel_tunables:1; bool protect_kernel_modules:1; + bool protect_kernel_logs:1; bool mount_apivfs:1; bool protect_hostname:1; }; -- 2.7.4