From b39c362c6d1c6a0515e12f14f808c6fc79d5ec2d Mon Sep 17 00:00:00 2001 From: Michal Sojka Date: Fri, 3 Nov 2017 22:31:41 +0100 Subject: [PATCH] service: Start services normally when seccomp is disabled When service init file declares seccomp support (procd_set_param seccomp), but procd is compiled without seccomp support, the service should be started normally, because seccomp-trace and utrace are not available. Older procd versions decided about whether to start a service in seccomp sandbox or not based on existence of seccomp whitelist in the filesystem. This was recently removed (c8faedc "Do not disable seccomp when configuration is not found", 2017-09-12) because it could be easy for attackers to disable seccomp support. This changes is a follow-up to the mentioned commit. With it, procd decides about whether to use seccomp sandbox based only on compile-time configuration. Signed-off-by: Michal Sojka Tested-by: Hans Dedecker --- CMakeLists.txt | 1 + service/instance.c | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7d05e97..4b3eebd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND( ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h) IF(SECCOMP_SUPPORT) +ADD_DEFINITIONS(-DSECCOMP_SUPPORT) ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c) TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json) INSTALL(TARGETS preload-seccomp diff --git a/service/instance.c b/service/instance.c index b7cb523..35804de 100644 --- a/service/instance.c +++ b/service/instance.c @@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = { { NULL, 0 } }; -static char trace[] = "/sbin/utrace"; - static void closefd(int fd) { if (fd > STDERR_FILENO) @@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, int _stderr) argv = alloca(sizeof(char *) * (argc + in->jail.argc)); argc = 0; +#ifdef SECCOMP_SUPPORT if (in->trace) - argv[argc++] = trace; + argv[argc++] = "/sbin/utrace"; else if (seccomp) argv[argc++] = "/sbin/seccomp-trace"; +#else + if (in->trace || seccomp) + ULOG_WARN("Seccomp support for %s::%s not available\n", in->srv->name, in->name); +#endif if (in->has_jail) argc = jail_run(in, argv); -- 2.11.0