On Tue, Jun 02, 2020 at 02:44:31PM +0200, Lennart Poettering wrote: > On Mo, 01.06.20 11:21, Kees Cook (keescook@xxxxxxxxxxxx) wrote: > > Would it make sense to provide a systemd setting for services to declare > > "no compat" or "no x32" (I'm not sure what to call this mode more > > generically, "no 32-bit allocation ABI"?) Then you can just install > > a single merged filter for all the native syscalls that starts with > > "if not native, reject"? > > We have that actually, it's this line you pasted above: > > SystemCallArchitectures=native > > It means: block all syscall ABIs but the native one for all processes > of this service. > > We currently use that setting only to synthesize an explicit seccomp > filter masking the other ABIs wholesale. We do not use it to suppress > generation of other, unrelated seccomp filters for that > arch. i.e. which means you might end up with one filter blocking x32 > wholesale, but then another unrelated option might install a filter > blocking some specific syscall with some specific arguments, but still > gets installed for x86-64 *and* i386 *and* x32. I guess we could > relatively easily tweak that and suppress the latter. If we did, then > on all services that set SystemCallArchitectures=native on x86-64 the > number of installed seccomp filters should become a third. Right, that's what I meant -- on x86_64 we've got way too many filters installed if we only care about "native" arch. ;) > > (Or better yet: make the default for filtering be "native only", and > > let services opt into other ABIs?) > > That sounds like it would make people quite unhappy no? given that on > a systemd system anything that runs in userspace is ultimately part of > a service managed by systemd, if we'd default to "no native ABIs" this > would translate to "yeah, we entirely disable the i386 ABI for the > entire system unless you reconfigure it and/or opt-out your old i386 > services". > > Hence, on x86-64, I figure just masking i386 entirely is a bit too > drastic a compat breakage for us, no? Masking x32 otoh sounds like a > safe default to do without breaking too much compat given that x32 is > on its way out. Well, I meant "if seccomp filters get generated, default to native ABI". Right now, it seems most things running from systemd with seccomp filters are daemons, not user processes? (e.g. ssh.server, getty@.service, etc have no filtering attached.) -- Kees Cook
