Apply systemd sandboxing by default to some services

GavinPacini · May 5, 2021, 11:59am

@Patrick opened fix systemd sandboxing for arm64 platform by GavinPacini · Pull Request #29 · Kicksecure/sdwdate · GitHub - this is working on arm64. Will handle onion-grater next.

Patrick · May 5, 2021, 12:03pm

Awesome!

Patrick · May 5, 2021, 12:11pm

Could you please try sudo systemctl restart sdwdate after it succeeded once? Because first time its sets time using date, subsequent ones using sclockadj. Therefore it might work the first time but break later due to missing secomp whiltelisted syscalls.

I am not also wondering if removing/changing SystemCallArchitectures setting would have been easier.
systemd.exec

Also generally wondering if SystemCallFilter is maintainable or will keep breaking when porting to the next version of Debian (bullseye) or other platforms.

GavinPacini · May 6, 2021, 9:15am

Oh, good catch, sorry for not checking that.

Opened another PR which now also works after restarting the service.

Patrick · May 6, 2021, 1:38pm

No worries.

This is hard to expect.

Merged, and uploaded to Whonix developers repository.

GavinPacini · May 14, 2021, 5:02pm

@Patrick finally got time to check onion-grater

https://github.com/Whonix/onion-grater/pull/10/files

I did restart this a few time also. Anything else I should check?

Patrick · May 15, 2021, 11:07am

Awesome, no, this one is straight forward to test.

GavinPacini · May 15, 2021, 6:42pm

@Patrick I realised that I missed one for sdwdate. The service started but the time never synched, now it does:

Patrick · May 16, 2021, 12:40pm

Merged.

madaidan · May 29, 2021, 3:51pm

We could create multiple arch-specific syscall whitelists to avoid bloating one whitelist with another’s syscalls and use a postinst script to detect the arch and enable the appropriate one.

Patrick · May 29, 2021, 5:10pm

Seems quite complex but if that’s maintained, then OK.

madaidan · May 29, 2021, 5:20pm

Could be something like the following in postinst:

arch="$(uname -m")
## Base syscalls. Suitable for x86.
syscall_whitelist="wait4 select futex read stat close openat fstat lseek mmap rt_sigaction getdents64 mprotect ioctl recvfrom munmap brk rt_sigprocmask fcntl getpid write access socket sendto dup2 clone execve getrandom geteuid getgid madvise getuid getegid readlink pipe rt_sigreturn connect pipe2 prlimit64 set_robust_list dup arch_prctl lstat set_tid_address sysinfo sigaltstack rt_sigsuspend shutdown timer_settime mkdir timer_create statfs getcwd setpgid setsockopt uname bind getpgrp getppid getpeername chdir poll getsockname fadvise64 clock_settime kill getsockopt unlink "

if [ "${arch}" =~ "arm64" ]; then
  ## ARM-specific syscalls.
  syscall_whitelist+="readlinkat newfstatat mkdirat dup3 ppoll pselect6"
elif [ "${arch}" =~ "ppc" ]; then
  ## PowerPC-specific syscalls.
  syscall_whitelist+="_llseek send waitpid recv prctl _newselect"
fi

str_replace "SystemCallFilter=" "SystemCallFilter=${syscall_whitelist}" /lib/systemd/system/sdwdate.service

Patrick · May 29, 2021, 5:57pm

str_replace can be avoided. Best to remove syscall whitelist in /lib/systemd/system/sdwdate.service with a comment to explain new implementation and then add an autogenerated (by postinst) systemd drop-in in /lib/systemd/system/sdwdate.service.d/20_syscall_whitelist.conf.

madaidan · May 29, 2021, 6:02pm

What if we add the base syscall whitelist to /lib/systemd/system/sdwdate.service, but add the arch-specific syscalls to the autogenerated drop-in /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf?

We could also output a message during installation if the arch is not x86/ARM/PPC to say that the seccomp filter may not work correctly.

Patrick · May 29, 2021, 6:14pm

Even better! Didn’t know that is possible But seems possible. Quote relevant man page entry:

SystemCallFilter

This option may be specified more than once, in which case the filter masks are merged.

But has to be carefully scripted to not be empty, because:

If the empty string is assigned, the filter is reset, all prior assignments will have no effect.

Also great! I am a big fan of self-documenting code/features, giving hints to debug for potential future porters.

madaidan · May 29, 2021, 7:24pm

Patrick · May 30, 2021, 8:18pm

mkdir /lib/systemd/system/sdwdate.service.d/

Needs to be mkdir --parents. Would fail otherwise on re-run (next time).

arch=“$(uname -m)”
if [[ “${arch}” =~ “arm64” ]]; then

Is the output of uname -m on arm64 tested?

Quote from Learn how to use Docker | Arm Learning Paths

docker run jasonrandrews/alpine-test:latest@sha256:5966f7b12b7c7ba3146102cf3079e57cccaf1de7228651661276dd1606d84108 uname -m
aarch64

madaidan · May 30, 2021, 11:32pm

This should work. Anything containing “arm” or “aarch” will be caught.

Patrick · May 31, 2021, 5:13am

Awesome! Merged.

Added some minor enhancements on top.

Minor: No need for systemctl daemon-reload. See the actual postinst script once packages was build and post processed by debhelper which has a more robust implementation (battle tested in thousands of packages, maintained by upstream Debian). Removed in git master.

# End automatically added section
# Automatically added by dh_installsystemd/12.1.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action 'sdwdate-restart-tor-request-file-watcher.service' 'sdwdate.service' >/dev/null || true
	fi
fi
# End automatically added section

Patrick · February 14, 2022, 10:14am