View Issue Details

IDProjectCategoryView StatusLast Update
0015934CentOS-7systemdpublic2019-03-19 12:47
Reporterjan.lalinsky 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformIntel x86OSCentosOS Version7
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015934: systemd v219 in Centos 7 does not support SystemCallFilter, although upstream supports it from v187
DescriptionCommand systemctl --version states that SECCOMP is not supported by centos-distributed systemd:
# systemctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

despite SECCOMP is supported and active in the kernel:

cat /boot/config-3.10.0-*|grep SECC
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y

When starting a service with SystemCallFilter directive, no warning or error is indicated, process runs and systemd does not enforce any seccomp rules.
Steps To Reproducecat > /etc/systemd/system/sctest.service << EOF
[Unit]
Description=Test seccomp nosymlink
After=network.target

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/usr/local/bin/sctest
SystemCallFilter=~symlink symlinkat

[Install]
WantedBy=multi-user.target

EOF

# systemctl daemon-reload
# systemctl start sctest
# systemctl status sctest
‚óŹ sctest.service - Test seccomp nosymlink
   Loaded: loaded (/etc/systemd/system/sctest.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Mon 2019-03-18 21:56:10 CET; 27s ago
  Process: 7271 ExecStart=/usr/local/bin/sctest (code=exited, status=0/SUCCESS)
 Main PID: 7271 (code=exited, status=0/SUCCESS)

The sctest process will create symlink, despite the SystemCallFilter rule. No error at all is reported.
Tagssystemd
abrt_hash
URL

Activities

jan.lalinsky

jan.lalinsky

2019-03-18 21:06

reporter   ~0034037

I didn't find any mention of SECCOMP in systemd.spec from source rpm. I would expect there be some remark if systemd was compiled without SECCOMP support.
tigalch

tigalch

2019-03-19 06:31

manager   ~0034040

This is the output I get on an RHEL-7 system:
>>
systemctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
>>
Looks the same to me - no SECCOMP enable by RH.
jan.lalinsky

jan.lalinsky

2019-03-19 08:59

reporter   ~0034041

@tigalch thank you for checking. Is there some recommend way in Centos/RHEL to check whether some software feature is intentionally disabled by Redhat/Centos, and for what reasons? Should I expect this information to be somewhere in the source rpm?
tigalch

tigalch

2019-03-19 09:07

manager   ~0034042

I can't answer all those questions ... If you think the behavior is wrong - please raise a bug at Redhats bugzilla against RHEL-7 (and please cross reference the bug ID). If/When this will be changed, CentOS will inherit the fix.
jan.lalinsky

jan.lalinsky

2019-03-19 12:47

reporter   ~0034045

Related bug, probably the same issue/question in RHEL:
https://bugzilla.redhat.com/show_bug.cgi?id=1546063

Issue History

Date Modified Username Field Change
2019-03-18 20:59 jan.lalinsky New Issue
2019-03-18 20:59 jan.lalinsky Tag Attached: systemd
2019-03-18 21:06 jan.lalinsky Note Added: 0034037
2019-03-19 06:31 tigalch Note Added: 0034040
2019-03-19 08:59 jan.lalinsky Note Added: 0034041
2019-03-19 09:07 tigalch Note Added: 0034042
2019-03-19 12:47 jan.lalinsky Note Added: 0034045