New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix handling/ordering of seccomp(), selinux/aa during service exec #3993
Comments
also, we need to think about no-new-privileges in relation to seccomp (which it often implies) and selinux |
Related:
Some helpful links: |
poettering
added a commit
to poettering/systemd
that referenced
this issue
Oct 25, 2016
Seccomp is generally an unprivileged operation, changing security contexts is most likely associated with some form of policy. Moreover, while seccomp may influence our own flow of code quite a bit (much more than the security context change) make sure to apply the seccomp filters immediately before executing the binary to invoke. This also moves enforcement of NNP after the security context change, so that NNP cannot affect it anymore. (However, the security policy now has to permit the NNP change). (The SMACK code should probably be moved to, but we'll leave that out for now.) This change has a good chance of breaking current SELinux/AA setups, because the policy might not expect this change of behaviour. However, it's technically the better choice I think and should hence be applied. Fixes: systemd#3993
poettering
added a commit
to poettering/systemd
that referenced
this issue
Oct 25, 2016
…ice manager If execve() or socket() is filtered the service manager might get into trouble executing the service binary, or handling any failures when this fails. Mention this in the documentation. The other option would be to implicitly whitelist all system calls that are required for these codepaths. However, that appears less than desirable as this would mean socket() and many related calls have to be whitelisted unconditionally. As writing system call filters requires a certain level of expertise anyway it sounds like the better option to simply document these issues and suggest that the user disables system call filters in the service temporarily in order to debug any such failures. See: systemd#3993.
My proposed fix is waiting in #4483 |
poettering
added a commit
to poettering/systemd
that referenced
this issue
Nov 2, 2016
…ice manager If execve() or socket() is filtered the service manager might get into trouble executing the service binary, or handling any failures when this fails. Mention this in the documentation. The other option would be to implicitly whitelist all system calls that are required for these codepaths. However, that appears less than desirable as this would mean socket() and many related calls have to be whitelisted unconditionally. As writing system call filters requires a certain level of expertise anyway it sounds like the better option to simply document these issues and suggest that the user disables system call filters in the service temporarily in order to debug any such failures. See: systemd#3993.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A follow-up from #3970: let's clean up the handling/ordering of post-seccomp code in the service execute path. In particular:
The text was updated successfully, but these errors were encountered: