rpms
/
systemd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c79da92385'
${ noResults }
systemd/SOURCES/0568-seccomp-allow-turning-...

83 lines
3.1 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

From e706f5df66b7189a7df526aeeb45c86b8c4b057a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 2 Nov 2020 14:51:10 +0100
Subject: [PATCH] seccomp: allow turning off of seccomp filtering via env var
Fixes: #17504
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
into the right document section)
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
Resolves: #1916835
---
doc/ENVIRONMENT.md | 3 +++
src/nspawn/nspawn-seccomp.c | 2 +-
src/shared/seccomp-util.c | 19 +++++++++++++++----
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/doc/ENVIRONMENT.md b/doc/ENVIRONMENT.md
index 0e763b6302..36b649afe1 100644
--- a/doc/ENVIRONMENT.md
+++ b/doc/ENVIRONMENT.md
@@ -117,3 +117,6 @@ systemd-sulogin-shell:
* `$SYSTEMD_SULOGIN_FORCE=1` — This skips asking for the root password if the
root password is not available (such as when the root account is locked).
See `sulogin(8)` for more details.
+
+* `$SYSTEMD_SECCOMP=0` if set, seccomp filters will not be enforced, even if
+ support for it is compiled in and available in the kernel.
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index b56c5b04a8..fba22644da 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -172,7 +172,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
int r;
if (!is_seccomp_available()) {
- log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
+ log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
return 0;
}
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index d91fb4e269..e903512d45 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -12,6 +12,7 @@
#include "af-list.h"
#include "alloc-util.h"
+#include "env-util.h"
#include "macro.h"
#include "nsflags.h"
#include "process-util.h"
@@ -244,10 +245,20 @@ static bool is_seccomp_filter_available(void) {
bool is_seccomp_available(void) {
static int cached_enabled = -1;
- if (cached_enabled < 0)
- cached_enabled =
- is_basic_seccomp_available() &&
- is_seccomp_filter_available();
+ if (cached_enabled < 0) {
+ int b;
+
+ b = getenv_bool("SYSTEMD_SECCOMP");
+ if (b != 0) {
+ if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
+ log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
+
+ cached_enabled =
+ is_basic_seccomp_available() &&
+ is_seccomp_filter_available();
+ } else
+ cached_enabled = false;
+ }
return cached_enabled;
}
Reference in new issue View Git Blame Copy Permalink