commit 28d87561a090d0322c447084a9f5795b3ab6f825 Author: Jay Faulkner Date: Fri Jan 30 14:35:02 2015 -0800 Disable use of seccomp in systemd-nspawn by default To reenable these seccomp protections, launch the container with "--enable-seccomp" or configure them indepedently in a unit file. diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index b0f7aa3..1d95a3c 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -840,6 +840,12 @@ needed. + + + + Enables seccomp protections for the container. + + diff --git a/shell-completion/bash/systemd-nspawn b/shell-completion/bash/systemd-nspawn index 83e34ef..ef8acf7 100644 --- a/shell-completion/bash/systemd-nspawn +++ b/shell-completion/bash/systemd-nspawn @@ -53,7 +53,7 @@ _systemd_nspawn() { local i verb comps local -A OPTS=( - [STANDALONE]='-h --help --version --private-network -b --boot --read-only -q --quiet --share-system --keep-unit --network-veth -j' + [STANDALONE]='-h --help --version --private-network -b --boot --read-only -q --quiet --share-system --keep-unit --network-veth -j --enable-seccomp' [ARG]='-D --directory -u --user --uuid --capability --drop-capability --link-journal --bind --bind-ro -M --machine -S --slice --setenv -Z --selinux-context -L --selinux-apifs-context --register --network-interface --network-bridge --personality -i --image --tmpfs --volatile diff --git a/shell-completion/zsh/_systemd-nspawn b/shell-completion/zsh/_systemd-nspawn index ceedb2c..f4da119 100644 --- a/shell-completion/zsh/_systemd-nspawn +++ b/shell-completion/zsh/_systemd-nspawn @@ -41,4 +41,5 @@ _arguments \ '--personality=[Control the architecture ("personality") reported by uname(2) in the container.]' \ {--quiet,-q}'[Turns off any status output by the tool itself.]' \ {--help,-h}'[Print a short help text and exit.]' \ - '--version[Print a short version string and exit.]' + '--version[Print a short version string and exit.]' \ + '--enable-seccomp=[Enables seccomp protections.]' diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 2beb810..3a3c3ab 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -187,6 +187,7 @@ static unsigned long arg_personality = 0xffffffffLU; static char *arg_image = NULL; static Volatile arg_volatile = VOLATILE_NO; static ExposePort *arg_expose_ports = NULL; +static bool arg_enable_seccomp = false; static void help(void) { printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n" @@ -246,6 +247,7 @@ static void help(void) { " --keep-unit Do not register a scope for the machine, reuse\n" " the service unit nspawn is running in\n" " --volatile[=MODE] Run the system in volatile mode\n" + " --enable-seccomp Enable seccomp protections\n" , program_invocation_short_name); } @@ -294,6 +296,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_PERSONALITY, ARG_VOLATILE, ARG_TEMPLATE, + ARG_ENABLE_SECCOMP, }; static const struct option options[] = { @@ -331,6 +334,7 @@ static int parse_argv(int argc, char *argv[]) { { "image", required_argument, NULL, 'i' }, { "volatile", optional_argument, NULL, ARG_VOLATILE }, { "port", required_argument, NULL, 'p' }, + { "enable-seccomp", no_argument, NULL, ARG_ENABLE_SECCOMP }, {} }; @@ -731,6 +735,10 @@ static int parse_argv(int argc, char *argv[]) { break; } + case ARG_ENABLE_SECCOMP: + arg_enable_seccomp = true; + break; + case '?': return -EINVAL; @@ -2498,6 +2506,9 @@ static int setup_seccomp(void) { unsigned i; int r; + if (!arg_enable_seccomp) + return 0; + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return log_oom();