service: Start services normally when seccomp is disabled
authorMichal Sojka <sojkam1@fel.cvut.cz>
Fri, 3 Nov 2017 21:31:41 +0000 (22:31 +0100)
committerJohn Crispin <john@phrozen.org>
Mon, 6 Nov 2017 07:33:08 +0000 (08:33 +0100)
When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.

Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Tested-by: Hans Dedecker <dedeckeh@gmail.com>
CMakeLists.txt
service/instance.c

index 7d05e9760097e27715f9461e3d9702f1f50deb27..4b3eebd7c9e18d10b7489233e6f6cb536d6938dd 100644 (file)
@@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND(
 ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
 
 IF(SECCOMP_SUPPORT)
+ADD_DEFINITIONS(-DSECCOMP_SUPPORT)
 ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
 TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
 INSTALL(TARGETS preload-seccomp
index b7cb523f402ea240cafd6dcc1aacc68c8647a374..35804de7c19e2e4d1c666d92c1316ddbbec1e213 100644 (file)
@@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = {
        { NULL, 0 }
 };
 
-static char trace[] = "/sbin/utrace";
-
 static void closefd(int fd)
 {
        if (fd > STDERR_FILENO)
@@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, int _stderr)
        argv = alloca(sizeof(char *) * (argc + in->jail.argc));
        argc = 0;
 
+#ifdef SECCOMP_SUPPORT
        if (in->trace)
-               argv[argc++] = trace;
+               argv[argc++] = "/sbin/utrace";
        else if (seccomp)
                argv[argc++] = "/sbin/seccomp-trace";
+#else
+       if (in->trace || seccomp)
+               ULOG_WARN("Seccomp support for %s::%s not available\n", in->srv->name, in->name);
+#endif
 
        if (in->has_jail)
                argc = jail_run(in, argv);