Re: [systemd-devel] Is SystemCallFilter working for you?
Hello again, Martin Pitt [2015-06-09 13:00 +0200]: I was about to (re-)enable seccomp support in our systemd packages, and to write an integration test for it. However, it seems that this currently does not seem to work at all. For the archives: Not sure what went wrong yesterday, today it works like a charm. I enabled it in the Debian/Ubuntu packages and wrote an integration test for it. Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Is SystemCallFilter working for you?
Hello all, I was about to (re-)enable seccomp support in our systemd packages, and to write an integration test for it. However, it seems that this currently does not seem to work at all. config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP, kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems fine. But if I have a unit like | [Unit] | Description=seccomp test | | [Service] | ExecStart=/bin/cat /etc/machine-id | SystemCallFilter=access (which really ought to fail) it just succeeds. Also, running ./test-execute as root fails in test_exec_systemcallfilter(): | exec-systemcallfilter-failing.service | UMask: 0022 | WorkingDirectory: /home/martin | RootDirectory: / | NonBlocking: no | PrivateTmp: no | PrivateNetwork: no | PrivateDevices: no | ProtectHome: no | ProtectSystem: no | IgnoreSIGPIPE: yes | StandardInput: null | StandardOutput: inherit | StandardError: inherit | This should not be seen | PID: 16439 | Start Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Code: exited | Exit Status: 0 | Assertion 'service-main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting. This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that working for anyone else? In particular, could you check if you have HAVE_SECCOMP and test-execute succeeds (as root) for you? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Is SystemCallFilter working for you?
On Tue, 09.06.15 13:00, Martin Pitt (martin.p...@ubuntu.com) wrote: Hello all, I was about to (re-)enable seccomp support in our systemd packages, and to write an integration test for it. However, it seems that this currently does not seem to work at all. Works fine here. config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP, kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems fine. Same settings here, on Fedora. All works fine. But if I have a unit like | [Unit] | Description=seccomp test | | [Service] | ExecStart=/bin/cat /etc/machine-id | SystemCallFilter=access (which really ought to fail) it just succeeds. Also, running This fails here, as it should. ./test-execute as root fails in test_exec_systemcallfilter(): | exec-systemcallfilter-failing.service | UMask: 0022 | WorkingDirectory: /home/martin | RootDirectory: / | NonBlocking: no | PrivateTmp: no | PrivateNetwork: no | PrivateDevices: no | ProtectHome: no | ProtectSystem: no | IgnoreSIGPIPE: yes | StandardInput: null | StandardOutput: inherit | StandardError: inherit | This should not be seen | PID: 16439 | Start Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Code: exited | Exit Status: 0 | Assertion 'service-main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting. This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that working for anyone else? In particular, could you check if you have HAVE_SECCOMP and test-execute succeeds (as root) for you? The test works fine here too. Seems to be specific to your distro/setup? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Is SystemCallFilter working for you?
On Tue, Jun 9, 2015 at 1:00 PM, Martin Pitt martin.p...@ubuntu.com wrote: Hello all, I was about to (re-)enable seccomp support in our systemd packages, and to write an integration test for it. However, it seems that this currently does not seem to work at all. config.h has HAVE_SECCOMP==1, and systemctl --version shows +SECCOMP, kernel has CONFIG_SECCOMP=y, CONFIG_HAVE_ARCH_SECCOMP_FILTER=y, and CONFIG_SECCOMP_FILTER=y, and I'm running on x86-64, so that all seems fine. But if I have a unit like | [Unit] | Description=seccomp test | | [Service] | ExecStart=/bin/cat /etc/machine-id | SystemCallFilter=access (which really ought to fail) it just succeeds. Also, running ./test-execute as root fails in test_exec_systemcallfilter(): | exec-systemcallfilter-failing.service | UMask: 0022 | WorkingDirectory: /home/martin | RootDirectory: / | NonBlocking: no | PrivateTmp: no | PrivateNetwork: no | PrivateDevices: no | ProtectHome: no | ProtectSystem: no | IgnoreSIGPIPE: yes | StandardInput: null | StandardOutput: inherit | StandardError: inherit | This should not be seen | PID: 16439 | Start Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Timestamp: Tue 2015-06-09 12:56:51 CEST | Exit Code: exited | Exit Status: 0 | Assertion 'service-main_exec_status.status == status_expected' failed at src/test/test-execute.c:57, function check(). Aborting. This is with libseccomp 2.2.1, I tested kernel 3.19 and 4.0. Is that working for anyone else? In particular, could you check if you have HAVE_SECCOMP and test-execute succeeds (as root) for you? Hi, It works for me. I tested on my machine with Linux 4.0.5 (archlinux) and libseccomp 2.2.0 and test-execute passed. But by looking at your output, there is something weird, you should have a line like this for this test: SystemCallFilter: exit exit_group rt_sigreturn ioperm execve Just after StandardError: inherit and just before PID: 16439. Because in exec_context_dump() it prints the SystemCallFilter line if it isn't empty. Since test-execute launched the seccomp tests, HAVE_SECCOMP is set, but it seems that syscall_filter == NULL in your case? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel