Apply systemd sandboxing by default to some services

Patrick · May 6, 2021, 1:38pm

No worries.

This is hard to expect.

Merged, and uploaded to Whonix developers repository.

GavinPacini · May 14, 2021, 5:02pm

@Patrick finally got time to check onion-grater

https://github.com/Whonix/onion-grater/pull/10/files

I did restart this a few time also. Anything else I should check?

Patrick · May 15, 2021, 11:07am

Awesome, no, this one is straight forward to test.

GavinPacini · May 15, 2021, 6:42pm

@Patrick I realised that I missed one for sdwdate. The service started but the time never synched, now it does:

Patrick · May 16, 2021, 12:40pm

Merged.

madaidan · May 29, 2021, 3:51pm

We could create multiple arch-specific syscall whitelists to avoid bloating one whitelist with another’s syscalls and use a postinst script to detect the arch and enable the appropriate one.

Patrick · May 29, 2021, 5:10pm

Seems quite complex but if that’s maintained, then OK.

madaidan · May 29, 2021, 5:20pm

Could be something like the following in postinst:

arch="$(uname -m")
## Base syscalls. Suitable for x86.
syscall_whitelist="wait4 select futex read stat close openat fstat lseek mmap rt_sigaction getdents64 mprotect ioctl recvfrom munmap brk rt_sigprocmask fcntl getpid write access socket sendto dup2 clone execve getrandom geteuid getgid madvise getuid getegid readlink pipe rt_sigreturn connect pipe2 prlimit64 set_robust_list dup arch_prctl lstat set_tid_address sysinfo sigaltstack rt_sigsuspend shutdown timer_settime mkdir timer_create statfs getcwd setpgid setsockopt uname bind getpgrp getppid getpeername chdir poll getsockname fadvise64 clock_settime kill getsockopt unlink "

if [ "${arch}" =~ "arm64" ]; then
  ## ARM-specific syscalls.
  syscall_whitelist+="readlinkat newfstatat mkdirat dup3 ppoll pselect6"
elif [ "${arch}" =~ "ppc" ]; then
  ## PowerPC-specific syscalls.
  syscall_whitelist+="_llseek send waitpid recv prctl _newselect"
fi

str_replace "SystemCallFilter=" "SystemCallFilter=${syscall_whitelist}" /lib/systemd/system/sdwdate.service

Patrick · May 29, 2021, 5:57pm

str_replace can be avoided. Best to remove syscall whitelist in /lib/systemd/system/sdwdate.service with a comment to explain new implementation and then add an autogenerated (by postinst) systemd drop-in in /lib/systemd/system/sdwdate.service.d/20_syscall_whitelist.conf.

madaidan · May 29, 2021, 6:02pm

What if we add the base syscall whitelist to /lib/systemd/system/sdwdate.service, but add the arch-specific syscalls to the autogenerated drop-in /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf?

We could also output a message during installation if the arch is not x86/ARM/PPC to say that the seccomp filter may not work correctly.

Patrick · May 29, 2021, 6:14pm

Even better! Didn’t know that is possible But seems possible. Quote relevant man page entry:

SystemCallFilter

This option may be specified more than once, in which case the filter masks are merged.

But has to be carefully scripted to not be empty, because:

If the empty string is assigned, the filter is reset, all prior assignments will have no effect.

Also great! I am a big fan of self-documenting code/features, giving hints to debug for potential future porters.

madaidan · May 29, 2021, 7:24pm

Patrick · May 30, 2021, 8:18pm

mkdir /lib/systemd/system/sdwdate.service.d/

Needs to be mkdir --parents. Would fail otherwise on re-run (next time).

arch=“$(uname -m)”
if [[ “${arch}” =~ “arm64” ]]; then

Is the output of uname -m on arm64 tested?

Quote from Learn how to use Docker | Arm Learning Paths

docker run jasonrandrews/alpine-test:latest@sha256:5966f7b12b7c7ba3146102cf3079e57cccaf1de7228651661276dd1606d84108 uname -m
aarch64

madaidan · May 30, 2021, 11:32pm

This should work. Anything containing “arm” or “aarch” will be caught.

Patrick · May 31, 2021, 5:13am

Awesome! Merged.

Added some minor enhancements on top.

Minor: No need for systemctl daemon-reload. See the actual postinst script once packages was build and post processed by debhelper which has a more robust implementation (battle tested in thousands of packages, maintained by upstream Debian). Removed in git master.

# End automatically added section
# Automatically added by dh_installsystemd/12.1.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action 'sdwdate-restart-tor-request-file-watcher.service' 'sdwdate.service' >/dev/null || true
	fi
fi
# End automatically added section

Patrick · February 14, 2022, 10:14am

Patrick · February 16, 2022, 11:37pm

Patrick · May 13, 2023, 8:27am

Patrick · May 13, 2023, 8:30am

Patrick · May 13, 2023, 8:32am

Would dropping SystemCallArchitectures=native simplify syscall filter?