seccomp: move brk+mmap+mmap2 into @default syscall filter set

These three syscalls are internally used by libc's memory allocation logic, i.e. ultimately back malloc(). Allocating a bit of memory is so basic, it should just be in the default set. This fixes a couple of issues with asan/msan and the seccomp tests: when asan/msan is used some additional, large memory allocations take place in the background, and unless mmap/mmap2/brk are allowlisted these will fail, aborting the test prematurely.
Merge pull request #17667 from fbuihuu/fix-module-loading-from-udev-rule
2020-11-19 16:44:50 +01:00 · 2020-11-19 16:35:32 +01:00 · 2020-11-19 16:16:17 +01:00 · 2020-11-19 11:50:52 +01:00 · 2020-11-19 09:49:42 +01:00
5 changed files with 23 additions and 14 deletions
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@ -233,13 +233,11 @@
        resolver is not capable of authenticating the server, so it is
        vulnerable to "man-in-the-middle" attacks.</para>

-        <para>In addition to this global DNSOverTLS setting
+        <para>In addition to this global <varname>DNSOverTLS=</varname> setting
        <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        also maintains per-link DNSOverTLS settings. For system DNS
-        servers (see above), only the global DNSOverTLS setting is in
-        effect. For per-link DNS servers the per-link
-        setting is in effect, unless it is unset in which case the
-        global setting is used instead.</para>
+        also maintains per-link <varname>DNSOverTLS=</varname> settings. For system DNS servers (see above), only the global
+        <varname>DNSOverTLS=</varname> setting is in effect. For per-link DNS servers the per-link setting is in effect, unless
+        it is unset in which case the global setting is used instead.</para>

        <para>Defaults to off.</para>
        </listitem>
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -282,6 +282,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
+                "brk\0"
                "cacheflush\0"
                "clock_getres\0"
                "clock_getres_time64\0"
@ -319,6 +320,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "getuid\0"
                "getuid32\0"
                "membarrier\0"
+                "mmap\0"
+                "mmap2\0"
                "nanosleep\0"
                "pause\0"
                "prlimit64\0"
@ -468,8 +471,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "mkdirat\0"
                "mknod\0"
                "mknodat\0"
-                "mmap\0"
-                "mmap2\0"
                "munmap\0"
                "newfstatat\0"
                "oldfstat\0"
@ -844,7 +845,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "@signal\0"
                "@sync\0"
                "@timer\0"
-                "brk\0"
                "capget\0"
                "capset\0"
                "copy_file_range\0"
--- a/units/modprobe@.service
+++ b/units/modprobe@.service
@ -13,7 +13,6 @@ DefaultDependencies=no
 Before=sysinit.target
 Documentation=man:modprobe(8)
 ConditionCapability=CAP_SYS_MODULE
-ConditionPathExists=!/sys/module/%I

 [Service]
 Type=oneshot
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@ -12,12 +12,18 @@ Description=FUSE Control File System
 Documentation=https://www.kernel.org/doc/Documentation/filesystems/fuse.txt
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
-ConditionPathExists=/sys/fs/fuse/connections
 ConditionCapability=CAP_SYS_ADMIN
 ConditionVirtualization=!private-users
-After=systemd-modules-load.service
 Before=sysinit.target

+# These dependencies are used to make certain that the module is fully
+# loaded. Indeed udev starts this unit when it receives an uevent for the
+# module but the kernel sends it too early, ie before the init() of the module
+# is fully operational and /sys/fs/fuse/connections is created, see issue#17586.
+
+After=modprobe@fuse.service
+Requires=modprobe@fuse.service
+
 [Mount]
 What=fusectl
 Where=/sys/fs/fuse/connections
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@ -12,11 +12,17 @@ Description=Kernel Configuration File System
 Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/configfs.txt
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
-ConditionPathExists=/sys/kernel/config
 ConditionCapability=CAP_SYS_RAWIO
-After=systemd-modules-load.service
 Before=sysinit.target

+# These dependencies are used to make certain that the module is fully
+# loaded. Indeed udev starts this unit when it receives an uevent for the
+# module but the kernel sends it too early, ie before the init() of the module
+# is fully operational and /sys/kernel/config is created, see issue#17586.
+
+After=modprobe@configfs.service
+Requires=modprobe@configfs.service
+
 [Mount]
 What=configfs
 Where=/sys/kernel/config
Author	SHA1	Message	Date
Lennart Poettering	5abede3247	seccomp: move brk+mmap+mmap2 into @default syscall filter set These three syscalls are internally used by libc's memory allocation logic, i.e. ultimately back malloc(). Allocating a bit of memory is so basic, it should just be in the default set. This fixes a couple of issues with asan/msan and the seccomp tests: when asan/msan is used some additional, large memory allocations take place in the background, and unless mmap/mmap2/brk are allowlisted these will fail, aborting the test prematurely.	2020-11-19 16:44:50 +01:00
Zbigniew Jędrzejewski-Szmek	bca0618705	Merge pull request #17667 from fbuihuu/fix-module-loading-from-udev-rule Fix module loading from udev rule	2020-11-19 16:35:32 +01:00
Lennart Poettering	bb4cbb25d4	man: suffix settings name with = and enclose in <varname>	2020-11-19 16:16:17 +01:00
Franck Bui	42cc2855ba	units: wait until some fs modules are entirely loaded before mounting their corresponding filesystem udev requests to start the fs mount units when their respective module is loaded. For that it monitors uevents of type "ADD" for the relevant fs modules. However the uevent is sent by the kernel too early, ie before the init() of the module is called hence before directories in /sys/fs/ are created. This patch workarounds adds "Requires/After=modprobe@<fs-module>.service" to the mount unit, which means that modprobe(8) will be called once the fs module is announced to be loaded. This sounds pointless, but given that modprobe only returns after the initialization of the module is complete, it should workaround the issue. As a side effect, the module will be automatically loaded if the mount unit is started manually. Fixes #17586.	2020-11-19 11:50:52 +01:00
Franck Bui	b3e32582f6	Revert "units: skip modprobe@.service if the unit appears to be already loaded" This reverts commit `9cbf1e58f9`. The presence of /sys/module/%I directory can't be used to assert that the load of a given module is complete and therefore the call to modprobe(8) can be skipped. Indeed this directory is created before the init() function of the module is called. Users of modprobe@.service needs to be sure that once this service returns the module is fully operational.	2020-11-19 09:49:42 +01:00