18052125394

Committed 26 Sep 2025 11:00PM UTC coverage: 72.224% (+0.02%) from 72.205%

Build # 18052125394

Build Type

push

github

Committed by

YHNdnzj

Commit Message

pam_systemd: correct alignment

Follow-up for cf2630aca

Run Details

303350 of 420010 relevant lines covered (72.22%)

1058085.05 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.7

/src/nspawn/nspawn-seccomp.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <linux/capability.h>
#include <linux/netlink.h>
#include <sys/socket.h>

#include "log.h"
#include "nspawn-seccomp.h"
#include "seccomp-util.h"
#include "strv.h"

#if HAVE_SECCOMP

static int add_syscall_filters(
                scmp_filter_ctx ctx,
                uint32_t arch,
                uint64_t cap_list_retain,
                char **syscall_allow_list,
                char **syscall_deny_list) {

        static const struct {
                uint64_t capability;
                const char* name;
        } allow_list[] = {
                /* Let's use set names where we can */
                { 0,                  "@aio"                         },
                { 0,                  "@basic-io"                    },
                { 0,                  "@chown"                       },
                { 0,                  "@default"                     },
                { 0,                  "@file-system"                 },
                { 0,                  "@io-event"                    },
                { 0,                  "@ipc"                         },
                { 0,                  "@keyring"                     },
                { 0,                  "@mount"                       },
                { 0,                  "@network-io"                  },
                { 0,                  "@process"                     },
                { 0,                  "@resources"                   },
                { 0,                  "@setuid"                      },
                { 0,                  "@signal"                      },
                { 0,                  "@sync"                        },
                { 0,                  "@timer"                       },

                /* The following four are sets we optionally enable, n case the caps have been configured for it */
                { CAP_SYS_TIME,       "@clock"                       },
                { CAP_SYS_MODULE,     "@module"                      },
                { CAP_SYS_RAWIO,      "@raw-io"                      },
                { CAP_IPC_LOCK,       "@memlock"                     },

                /* Plus a good set of additional syscalls which are not part of any of the groups above */
                { 0,                  "arm_fadvise64_64"             },
                { 0,                  "brk"                          },
                { 0,                  "capget"                       },
                { 0,                  "capset"                       },
                { 0,                  "copy_file_range"              },
                { 0,                  "fadvise64"                    },
                { 0,                  "fadvise64_64"                 },
                { 0,                  "flock"                        },
                { 0,                  "get_mempolicy"                },
                { 0,                  "getcpu"                       },
                { 0,                  "getpriority"                  },
                { 0,                  "getrandom"                    },
                { 0,                  "ioctl"                        },
                { 0,                  "ioprio_get"                   },
                { 0,                  "kcmp"                         },
                { 0,                  "madvise"                      },
                { 0,                  "mincore"                      },
                { 0,                  "mprotect"                     },
                { 0,                  "mremap"                       },
                { 0,                  "name_to_handle_at"            },
                { 0,                  "oldolduname"                  },
                { 0,                  "olduname"                     },
                { 0,                  "personality"                  },
                { 0,                  "readahead"                    },
                { 0,                  "readdir"                      },
                { 0,                  "remap_file_pages"             },
                { 0,                  "sched_get_priority_max"       },
                { 0,                  "sched_get_priority_min"       },
                { 0,                  "sched_getaffinity"            },
                { 0,                  "sched_getattr"                },
                { 0,                  "sched_getparam"               },
                { 0,                  "sched_getscheduler"           },
                { 0,                  "sched_rr_get_interval"        },
                { 0,                  "sched_rr_get_interval_time64" },
                { 0,                  "sched_yield"                  },
                { 0,                  "sendfile"                     },
                { 0,                  "sendfile64"                   },
                { 0,                  "setdomainname"                },
                { 0,                  "setfsgid"                     },
                { 0,                  "setfsgid32"                   },
                { 0,                  "setfsuid"                     },
                { 0,                  "setfsuid32"                   },
                { 0,                  "sethostname"                  },
                { 0,                  "setpgid"                      },
                { 0,                  "setsid"                       },
                { 0,                  "splice"                       },
                { 0,                  "sysinfo"                      },
                { 0,                  "tee"                          },
                { 0,                  "umask"                        },
                { 0,                  "uname"                        },
                { 0,                  "userfaultfd"                  },
                { 0,                  "vmsplice"                     },

                /* The following individual syscalls are added depending on specified caps */
                { CAP_SYS_PACCT,      "acct"                         },
                { CAP_SYS_PTRACE,     "process_vm_readv"             },
                { CAP_SYS_PTRACE,     "process_vm_writev"            },
                { CAP_SYS_PTRACE,     "ptrace"                       },
                { CAP_SYS_BOOT,       "reboot"                       },
                { CAP_SYSLOG,         "syslog"                       },
                { CAP_SYS_TTY_CONFIG, "vhangup"                      },
                { CAP_BPF,            "bpf",                         },

                /*
                 * The following syscalls and groups are knowingly excluded:
                 *
                 * @cpu-emulation
                 * @obsolete
                 * @pkey
                 * @swap
                 *
                 * fanotify_init
                 * fanotify_mark
                 * kexec_file_load
                 * kexec_load
                 * lookup_dcookie
                 * nfsservctl
                 * open_by_handle_at
                 * perf_event_open
                 * quotactl
                 */
        };

        _cleanup_strv_free_ char **added = NULL;
        int r;

        FOREACH_ELEMENT(i, allow_list) {
                if (i->capability != 0 && (cap_list_retain & (1ULL << i->capability)) == 0)
                        continue;

                r = seccomp_add_syscall_filter_item(ctx,
                                                    i->name,
                                                    SCMP_ACT_ALLOW,
                                                    syscall_deny_list,
                                                    false,
                                                    &added);
                if (r < 0)
                        return log_error_errno(r, "Failed to add syscall filter item %s: %m", i->name);
        }

        STRV_FOREACH(p, syscall_allow_list) {
                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);
                if (r < 0)
                        log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                          *p, seccomp_arch_to_string(arch));
        }

        /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
         * syscalls. */
        r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
        if (r < 0)
                log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
                                  seccomp_arch_to_string(arch));

#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
        /* We have a large filter here, so let's turn on the binary tree mode if possible. */
        r = sym_seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
        if (r < 0)
                log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
#endif

        return 0;
}

int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list) {
        uint32_t arch;
        int r;

        if (!is_seccomp_available()) {
                log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
                return 0;
        }

        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;

                log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));

                /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
                 * in the @known set, see above. */
                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
                if (r < 0)
                        return log_error_errno(r, "Failed to allocate seccomp object: %m");

                r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
                if (r < 0)
                        return r;

                r = sym_seccomp_load(seccomp);
                if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
                        return log_error_errno(r, "Failed to install seccomp filter: %m");
                if (r < 0)
                        log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",
                                        seccomp_arch_to_string(arch));
        }

        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;

                log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));

                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
                if (r < 0)
                        return log_error_errno(r, "Failed to allocate seccomp object: %m");

                /*
                  Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
                  container. We don't care and just turn off creation of audit sockets.

                  This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
                  as indication that audit is disabled in the kernel.
                */

                r = sym_seccomp_rule_add_exact(
                                seccomp,
                                SCMP_ACT_ERRNO(EAFNOSUPPORT),
                                SCMP_SYS(socket),
                                2,
                                SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
                                SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
                if (r < 0) {
                        log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
                        continue;
                }

                r = sym_seccomp_load(seccomp);
                if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
                        return log_error_errno(r, "Failed to install seccomp audit filter: %m");
                if (r < 0)
                        log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",
                                        seccomp_arch_to_string(arch));
        }

        return 0;
}

#else

int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list) {
        return 0;
}

#endif

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <linux/capability.h>
4	#include <linux/netlink.h>
5	#include <sys/socket.h>
6
7	#include "log.h"
8	#include "nspawn-seccomp.h"
9	#include "seccomp-util.h"
10	#include "strv.h"
11
12	#if HAVE_SECCOMP
13
14	static int add_syscall_filters(	363✔
15	scmp_filter_ctx ctx,
16	uint32_t arch,
17	uint64_t cap_list_retain,
18	char **syscall_allow_list,
19	char **syscall_deny_list) {
20
21	static const struct {	363✔
22	uint64_t capability;
23	const char* name;
24	} allow_list[] = {
25	/* Let's use set names where we can */
26	{ 0, "@aio" },
27	{ 0, "@basic-io" },
28	{ 0, "@chown" },
29	{ 0, "@default" },
30	{ 0, "@file-system" },
31	{ 0, "@io-event" },
32	{ 0, "@ipc" },
33	{ 0, "@keyring" },
34	{ 0, "@mount" },
35	{ 0, "@network-io" },
36	{ 0, "@process" },
37	{ 0, "@resources" },
38	{ 0, "@setuid" },
39	{ 0, "@signal" },
40	{ 0, "@sync" },
41	{ 0, "@timer" },
42
43	/* The following four are sets we optionally enable, n case the caps have been configured for it */
44	{ CAP_SYS_TIME, "@clock" },
45	{ CAP_SYS_MODULE, "@module" },
46	{ CAP_SYS_RAWIO, "@raw-io" },
47	{ CAP_IPC_LOCK, "@memlock" },
48
49	/* Plus a good set of additional syscalls which are not part of any of the groups above */
50	{ 0, "arm_fadvise64_64" },
51	{ 0, "brk" },
52	{ 0, "capget" },
53	{ 0, "capset" },
54	{ 0, "copy_file_range" },
55	{ 0, "fadvise64" },
56	{ 0, "fadvise64_64" },
57	{ 0, "flock" },
58	{ 0, "get_mempolicy" },
59	{ 0, "getcpu" },
60	{ 0, "getpriority" },
61	{ 0, "getrandom" },
62	{ 0, "ioctl" },
63	{ 0, "ioprio_get" },
64	{ 0, "kcmp" },
65	{ 0, "madvise" },
66	{ 0, "mincore" },
67	{ 0, "mprotect" },
68	{ 0, "mremap" },
69	{ 0, "name_to_handle_at" },
70	{ 0, "oldolduname" },
71	{ 0, "olduname" },
72	{ 0, "personality" },
73	{ 0, "readahead" },
74	{ 0, "readdir" },
75	{ 0, "remap_file_pages" },
76	{ 0, "sched_get_priority_max" },
77	{ 0, "sched_get_priority_min" },
78	{ 0, "sched_getaffinity" },
79	{ 0, "sched_getattr" },
80	{ 0, "sched_getparam" },
81	{ 0, "sched_getscheduler" },
82	{ 0, "sched_rr_get_interval" },
83	{ 0, "sched_rr_get_interval_time64" },
84	{ 0, "sched_yield" },
85	{ 0, "sendfile" },
86	{ 0, "sendfile64" },
87	{ 0, "setdomainname" },
88	{ 0, "setfsgid" },
89	{ 0, "setfsgid32" },
90	{ 0, "setfsuid" },
91	{ 0, "setfsuid32" },
92	{ 0, "sethostname" },
93	{ 0, "setpgid" },
94	{ 0, "setsid" },
95	{ 0, "splice" },
96	{ 0, "sysinfo" },
97	{ 0, "tee" },
98	{ 0, "umask" },
99	{ 0, "uname" },
100	{ 0, "userfaultfd" },
101	{ 0, "vmsplice" },
102
103	/* The following individual syscalls are added depending on specified caps */
104	{ CAP_SYS_PACCT, "acct" },
105	{ CAP_SYS_PTRACE, "process_vm_readv" },
106	{ CAP_SYS_PTRACE, "process_vm_writev" },
107	{ CAP_SYS_PTRACE, "ptrace" },
108	{ CAP_SYS_BOOT, "reboot" },
109	{ CAP_SYSLOG, "syslog" },
110	{ CAP_SYS_TTY_CONFIG, "vhangup" },
111	{ CAP_BPF, "bpf", },
112
113	/*
114	* The following syscalls and groups are knowingly excluded:
115	*
116	* @cpu-emulation
117	* @obsolete
118	* @pkey
119	* @swap
120	*
121	* fanotify_init
122	* fanotify_mark
123	* kexec_file_load
124	* kexec_load
125	* lookup_dcookie
126	* nfsservctl
127	* open_by_handle_at
128	* perf_event_open
129	* quotactl
130	*/
131	};
132
133	_cleanup_strv_free_ char **added = NULL;	×
134	int r;	363✔
135
136	FOREACH_ELEMENT(i, allow_list) {	29,403✔
137	if (i->capability != 0 && (cap_list_retain & (1ULL << i->capability)) == 0)	29,040✔
138	continue;	2,517✔
139
140	r = seccomp_add_syscall_filter_item(ctx,	53,046✔
141	i->name,	26,523✔
142	SCMP_ACT_ALLOW,
143	syscall_deny_list,
144	false,
145	&added);
146	if (r < 0)	26,523✔
147	return log_error_errno(r, "Failed to add syscall filter item %s: %m", i->name);	×
148	}
149
150	STRV_FOREACH(p, syscall_allow_list) {	369✔
151	r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);	6✔
152	if (r < 0)	6✔
153	log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",	6✔
154	*p, seccomp_arch_to_string(arch));
155	}
156
157	/* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
158	* syscalls. */
159	r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);	363✔
160	if (r < 0)	363✔
161	log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",	×
162	seccomp_arch_to_string(arch));
163
164	#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) \|\| SCMP_VER_MAJOR > 2
165	/* We have a large filter here, so let's turn on the binary tree mode if possible. */
166	r = sym_seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);	363✔
167	if (r < 0)	363✔
168	log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");	363✔
169	#endif
170
171	return 0;
172	}
173
174	int setup_seccomp(uint64_t cap_list_retain, char syscall_allow_list, char syscall_deny_list) {	121✔
175	uint32_t arch;	121✔
176	int r;	121✔
177
178	if (!is_seccomp_available()) {	121✔
179	log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");	×
180	return 0;	×
181	}
182
183	SECCOMP_FOREACH_LOCAL_ARCH(arch) {	484✔
184	_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;	×
185
186	log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));	363✔
187
188	/* We install ENOSYS as the default action, but it will only apply to syscalls which are not
189	* in the @known set, see above. */
190	r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));	363✔
191	if (r < 0)	363✔
192	return log_error_errno(r, "Failed to allocate seccomp object: %m");	×
193
194	r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);	363✔
195	if (r < 0)	363✔
196	return r;
197
198	r = sym_seccomp_load(seccomp);	363✔
199	if (ERRNO_IS_NEG_SECCOMP_FATAL(r))	363✔
200	return log_error_errno(r, "Failed to install seccomp filter: %m");	×
201	if (r < 0)	363✔
202	log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",	363✔
203	seccomp_arch_to_string(arch));
204	}
205
206	SECCOMP_FOREACH_LOCAL_ARCH(arch) {	484✔
207	_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;	×
208
209	log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));	363✔
210
211	r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);	363✔
212	if (r < 0)	363✔
213	return log_error_errno(r, "Failed to allocate seccomp object: %m");	×
214
215	/*
216	Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
217	container. We don't care and just turn off creation of audit sockets.
218
219	This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
220	as indication that audit is disabled in the kernel.
221	*/
222
223	r = sym_seccomp_rule_add_exact(	726✔
224	seccomp,
225	SCMP_ACT_ERRNO(EAFNOSUPPORT),
226	SCMP_SYS(socket),
227	2,
228	SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),	363✔
229	SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));	363✔
230	if (r < 0) {	363✔
231	log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");	121✔
232	continue;	121✔
233	}
234
235	r = sym_seccomp_load(seccomp);	242✔
236	if (ERRNO_IS_NEG_SECCOMP_FATAL(r))	242✔
237	return log_error_errno(r, "Failed to install seccomp audit filter: %m");	×
238	if (r < 0)	242✔
239	log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",	242✔
240	seccomp_arch_to_string(arch));
241	}
242
243	return 0;
244	}
245
246	#else
247
248	int setup_seccomp(uint64_t cap_list_retain, char syscall_allow_list, char syscall_deny_list) {
249	return 0;
250	}
251
252	#endif

systemd / systemd / 18052125394

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous