kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/profiles/seccomp/default_linux.go

814 lines
15 KiB
Go
Raw Permalink Normal View History

Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 21:05:59 +00:00
package seccomp // import "github.com/docker/docker/profiles/seccomp"
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
import (
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
"github.com/opencontainers/runtime-spec/specs-go"
[project] change syscall to /x/sys/unix|windows Changes most references of syscall to golang.org/x/sys/ Ones aren't changes include, Errno, Signal and SysProcAttr as they haven't been implemented in /x/sys/. Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com> [s390x] switch utsname from unsigned to signed per https://github.com/golang/sys/commit/33267e036fd93fcd26ea95b7bdaf2d8306cb743c char in s390x in the /x/sys/unix package is now signed, so change the buildtags Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2017-05-23 14:22:32 +00:00
"golang.org/x/sys/unix"
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
)
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:14:16 +00:00
func arches() []Architecture {
return []Architecture{
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchX86_64,
SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
},
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchAARCH64,
SubArches: []specs.Arch{specs.ArchARM},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
},
Block bpf syscall from default seccomp profile The bpf syscall can load code into the kernel which may persist beyond container lifecycle. Requires CAP_SYS_ADMIN already. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2015-12-29 17:28:30 +00:00
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchMIPS64,
SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32},
Block bpf syscall from default seccomp profile The bpf syscall can load code into the kernel which may persist beyond container lifecycle. Requires CAP_SYS_ADMIN already. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2015-12-29 17:28:30 +00:00
},
Block clock_adjtime in default seccomp config clock_adjtime is the new posix style version of adjtime allowing a specific clock to be specified. Time is not namespaced, so do not allow. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2015-12-29 12:48:16 +00:00
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchMIPS64N32,
SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64},
Block clock_adjtime in default seccomp config clock_adjtime is the new posix style version of adjtime allowing a specific clock to be specified. Time is not namespaced, so do not allow. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2015-12-29 12:48:16 +00:00
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchMIPSEL64,
SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
Do not restrict chown via seccomp, just let capabilities control access In #22554 I aligned seccomp and capabilities, however the case of the chown calls and CAP_CHOWN was less clearcut, as these are simple calls that the capabilities will block if they are not allowed. They are needed when no new privileges is not set in order to allow docker to call chown before the container is started, so there was a workaround but this did not include all the chown syscalls, and Arm was failing on some seccomp tests because it was using a different syscall from just the fchown that was allowed in this case. It is simpler to just allow all the chown calls in the default seccomp profile and let the capabilities subsystem block them. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-25 19:49:30 +00:00
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchMIPSEL64N32,
SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64},
Do not restrict chown via seccomp, just let capabilities control access In #22554 I aligned seccomp and capabilities, however the case of the chown calls and CAP_CHOWN was less clearcut, as these are simple calls that the capabilities will block if they are not allowed. They are needed when no new privileges is not set in order to allow docker to call chown before the container is started, so there was a workaround but this did not include all the chown syscalls, and Arm was failing on some seccomp tests because it was using a different syscall from just the fchown that was allowed in this case. It is simpler to just allow all the chown calls in the default seccomp profile and let the capabilities subsystem block them. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-25 19:49:30 +00:00
},
{
seccomp: replace types with runtime-spec types Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:49:38 +00:00
Arch: specs.ArchS390X,
SubArches: []specs.Arch{specs.ArchS390},
Do not restrict chown via seccomp, just let capabilities control access In #22554 I aligned seccomp and capabilities, however the case of the chown calls and CAP_CHOWN was less clearcut, as these are simple calls that the capabilities will block if they are not allowed. They are needed when no new privileges is not set in order to allow docker to call chown before the container is started, so there was a workaround but this did not include all the chown syscalls, and Arm was failing on some seccomp tests because it was using a different syscall from just the fchown that was allowed in this case. It is simpler to just allow all the chown calls in the default seccomp profile and let the capabilities subsystem block them. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-25 19:49:30 +00:00
},
seccomp: support riscv64 Corresponds to containerd PR 6882 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-05-02 08:08:56 +00:00
{
Arch: specs.ArchRISCV64,
SubArches: nil,
},
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
}
}
Do not restrict chown via seccomp, just let capabilities control access In #22554 I aligned seccomp and capabilities, however the case of the chown calls and CAP_CHOWN was less clearcut, as these are simple calls that the capabilities will block if they are not allowed. They are needed when no new privileges is not set in order to allow docker to call chown before the container is started, so there was a workaround but this did not include all the chown syscalls, and Arm was failing on some seccomp tests because it was using a different syscall from just the fchown that was allowed in this case. It is simpler to just allow all the chown calls in the default seccomp profile and let the capabilities subsystem block them. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-25 19:49:30 +00:00
Replace uses of blacklist/whitelist Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-14 08:41:34 +00:00
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:14:16 +00:00
func DefaultProfile() *Seccomp {
seccomp: add support for "clone3" syscall in default policy If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: https://github.com/opencontainers/runc/commit/7a8d7162f9d72f20d83eaa36aeb5426deecd58f2 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: https://github.com/moby/moby/issues/42680 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-07-26 18:10:01 +00:00
nosys := uint(unix.ENOSYS)
seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:14:16 +00:00
syscalls := []*Syscall{
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"accept",
"accept4",
"access",
"adjtimex",
"alarm",
"bind",
"brk",
"capget",
"capset",
"chdir",
"chmod",
"chown",
"chown32",
"clock_adjtime",
"clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"close",
"close_range",
"connect",
"copy_file_range",
"creat",
"dup",
"dup2",
"dup3",
"epoll_create",
"epoll_create1",
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
"epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
"eventfd2",
"execve",
"execveat",
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_mark",
"fchdir",
"fchmod",
"fchmodat",
"fchown",
"fchown32",
"fchownat",
"fcntl",
"fcntl64",
"fdatasync",
"fgetxattr",
"flistxattr",
"flock",
"fork",
"fremovexattr",
"fsetxattr",
"fstat",
"fstat64",
"fstatat64",
"fstatfs",
"fstatfs64",
"fsync",
"ftruncate",
"ftruncate64",
"futex",
"futex_time64",
Allow different syscalls from kernels 5.12 -> 5.16 Kernel 5.12: mount_setattr: needs CAP_SYS_ADMIN Kernel 5.14: quotactl_fd: needs CAP_SYS_ADMIN memfd_secret: always allowed Kernel 5.15: process_mrelease: always allowed Kernel 5.16: futex_waitv: always allowed Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-13 09:20:48 +00:00
"futex_waitv",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"futimesat",
"getcpu",
"getcwd",
"getdents",
"getdents64",
"getegid",
"getegid32",
"geteuid",
"geteuid32",
"getgid",
"getgid32",
"getgroups",
"getgroups32",
"getitimer",
"getpeername",
"getpgid",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresgid32",
"getresuid",
"getresuid32",
"getrlimit",
"get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
"get_thread_area",
"gettid",
"gettimeofday",
"getuid",
"getuid32",
"getxattr",
"inotify_add_watch",
"inotify_init",
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
"ioctl",
"io_destroy",
"io_getevents",
"io_pgetevents",
"io_pgetevents_time64",
"ioprio_get",
"ioprio_set",
"io_setup",
"io_submit",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"ipc",
"kill",
seccomp: add support for Landlock syscalls in default policy This commit allows the Landlock[0] system calls in the default seccomp policy. Landlock was introduced in kernel 5.13, to fill the gap that inspecting filepaths passed as arguments to filesystem system calls is not really possible with pure `seccomp` (unless involving `ptrace`). Allowing Landlock by default fits in with allowing `seccomp` for containerized applications to voluntarily restrict their access rights to files within the container. [0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html Signed-off-by: Tudor Brindus <me@tbrindus.ca>
2022-01-30 18:08:46 +00:00
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"lchown",
"lchown32",
"lgetxattr",
"link",
"linkat",
"listen",
"listxattr",
"llistxattr",
"_llseek",
"lremovexattr",
"lseek",
"lsetxattr",
"lstat",
"lstat64",
"madvise",
"membarrier",
"memfd_create",
Allow different syscalls from kernels 5.12 -> 5.16 Kernel 5.12: mount_setattr: needs CAP_SYS_ADMIN Kernel 5.14: quotactl_fd: needs CAP_SYS_ADMIN memfd_secret: always allowed Kernel 5.15: process_mrelease: always allowed Kernel 5.16: futex_waitv: always allowed Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-13 09:20:48 +00:00
"memfd_secret",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"mincore",
"mkdir",
"mkdirat",
"mknod",
"mknodat",
"mlock",
"mlock2",
"mlockall",
"mmap",
"mmap2",
"mprotect",
"mq_getsetattr",
"mq_notify",
"mq_open",
"mq_timedreceive",
"mq_timedreceive_time64",
"mq_timedsend",
"mq_timedsend_time64",
"mq_unlink",
"mremap",
"msgctl",
"msgget",
"msgrcv",
"msgsnd",
"msync",
"munlock",
"munlockall",
"munmap",
"nanosleep",
"newfstatat",
"_newselect",
"open",
"openat",
"openat2",
"pause",
"pidfd_open",
"pidfd_send_signal",
"pipe",
"pipe2",
profiles: seccomp: add syscalls related to PKU in default policy Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile. pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure the calling process's own memory, so they are existing "safe for everyone" syscalls. close issue: #43481 Signed-off-by: zhubojun <bojun.zhu@foxmail.com>
2022-04-15 03:29:11 +00:00
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
Allow different syscalls from kernels 5.12 -> 5.16 Kernel 5.12: mount_setattr: needs CAP_SYS_ADMIN Kernel 5.14: quotactl_fd: needs CAP_SYS_ADMIN memfd_secret: always allowed Kernel 5.15: process_mrelease: always allowed Kernel 5.16: futex_waitv: always allowed Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-13 09:20:48 +00:00
"process_mrelease",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
"read",
"readahead",
"readlink",
"readlinkat",
"readv",
"recv",
"recvfrom",
"recvmmsg",
"recvmmsg_time64",
"recvmsg",
"remap_file_pages",
"removexattr",
"rename",
"renameat",
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
"rt_sigqueueinfo",
"rt_sigreturn",
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_sigtimedwait_time64",
"rt_tgsigqueueinfo",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_get_priority_max",
"sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_rr_get_interval_time64",
"sched_setaffinity",
"sched_setattr",
"sched_setparam",
"sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"semctl",
"semget",
"semop",
"semtimedop",
"semtimedop_time64",
"send",
"sendfile",
"sendfile64",
"sendmmsg",
"sendmsg",
"sendto",
"setfsgid",
"setfsgid32",
"setfsuid",
"setfsuid32",
"setgid",
"setgid32",
"setgroups",
"setgroups32",
"setitimer",
"setpgid",
"setpriority",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setresuid",
"setresuid32",
"setreuid",
"setreuid32",
"setrlimit",
"set_robust_list",
"setsid",
"setsockopt",
"set_thread_area",
"set_tid_address",
"setuid",
"setuid32",
"setxattr",
"shmat",
"shmctl",
"shmdt",
"shmget",
"shutdown",
"sigaltstack",
"signalfd",
"signalfd4",
"sigprocmask",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"splice",
"stat",
"stat64",
"statfs",
"statfs64",
"statx",
"symlink",
"symlinkat",
"sync",
"sync_file_range",
"syncfs",
"sysinfo",
"tee",
"tgkill",
"time",
"timer_create",
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"truncate",
"truncate64",
"ugetrlimit",
"umask",
"uname",
"unlink",
"unlinkat",
"utime",
"utimensat",
"utimensat_time64",
"utimes",
"vfork",
"vmsplice",
"wait4",
"waitid",
"waitpid",
"write",
"writev",
},
Action: specs.ActAllow,
},
},
{
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"process_vm_readv",
"process_vm_writev",
"ptrace",
},
Action: specs.ActAllow,
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
seccomp: implement marshal/unmarshall for MinVersion Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-01 10:26:46 +00:00
MinKernel: &KernelVersion{4, 8},
seccomp: allow ptrace for 4.8+ kernels 4.8+ kernels have fixed the ptrace security issues so we can allow ptrace(2) on the default seccomp profile if we do the kernel version check. https://github.com/torvalds/linux/commit/93e35efb8de45393cf61ed07f7b407629bf698ea Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-11-03 04:00:15 +00:00
},
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{"personality"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: 0x0,
Op: specs.OpEqualTo,
},
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{"personality"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: 0x0008,
Op: specs.OpEqualTo,
},
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
},
seccomp: Allow personality with UNAME26 bit set. From personality(2): Have uname(2) report a 2.6.40+ version number rather than a 3.x version number. Added as a stopgap measure to support broken applications that could not handle the kernel version-numbering switch from 2.6.x to 3.x. This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32". Fixes: #32839 Signed-off-by: Ian Campbell <ian.campbell@docker.com>
2017-05-02 14:05:01 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{"personality"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: 0x20000,
Op: specs.OpEqualTo,
},
seccomp: Allow personality with UNAME26 bit set. From personality(2): Have uname(2) report a 2.6.40+ version number rather than a 3.x version number. Added as a stopgap measure to support broken applications that could not handle the kernel version-numbering switch from 2.6.x to 3.x. This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32". Fixes: #32839 Signed-off-by: Ian Campbell <ian.campbell@docker.com>
2017-05-02 14:05:01 +00:00
},
},
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{"personality"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: 0x20008,
Op: specs.OpEqualTo,
},
seccomp: Allow personality with UNAME26 bit set. From personality(2): Have uname(2) report a 2.6.40+ version number rather than a 3.x version number. Added as a stopgap measure to support broken applications that could not handle the kernel version-numbering switch from 2.6.x to 3.x. This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32". Fixes: #32839 Signed-off-by: Ian Campbell <ian.campbell@docker.com>
2017-05-02 14:05:01 +00:00
},
},
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{"personality"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: 0xffffffff,
Op: specs.OpEqualTo,
},
Block obsolete socket families in the default seccomp profile Linux supports many obsolete address families, which are usually available in common distro kernels, but they are less likely to be properly audited and may have security issues This blocks all socket families in the socket (and socketcall where applicable) syscall except - AF_UNIX - Unix domain sockets - AF_INET - IPv4 - AF_INET6 - IPv6 - AF_NETLINK - Netlink sockets for communicating with the ekrnel - AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW All other socket families are blocked, including Appletalk (native, not over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally be used in containers, etc. Note that users can of course provide a profile per container or in the daemon config if they have unusual use cases that require these. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-12-02 16:41:26 +00:00
},
},
},
Allow sync_file_range2 on supported architectures. Signed-off-by: Gabriel Linder <linder.gabriel@gmail.com>
2017-02-13 12:55:53 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"sync_file_range2",
seccomp: add support for "swapcontext" syscall in default policy This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: https://github.com/systemd/systemd/pull/9487 [2]: https://github.com/systemd/systemd/issues/9485 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
2021-12-18 13:06:07 +00:00
"swapcontext",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
},
Action: specs.ActAllow,
Allow sync_file_range2 on supported architectures. Signed-off-by: Gabriel Linder <linder.gabriel@gmail.com>
2017-02-13 12:55:53 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
Allow sync_file_range2 on supported architectures. Signed-off-by: Gabriel Linder <linder.gabriel@gmail.com>
2017-02-13 12:55:53 +00:00
Arches: []string{"ppc64le"},
},
},
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"arm_fadvise64_64",
"arm_sync_file_range",
"sync_file_range2",
"breakpoint",
"cacheflush",
"set_tls",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Arches: []string{"arm", "arm64"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"arch_prctl",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Arches: []string{"amd64", "x32"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"modify_ldt",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Arches: []string{"amd64", "x32", "x86"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"s390_pci_mmio_read",
"s390_pci_mmio_write",
"s390_runtime_instr",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Arches: []string{"s390", "s390x"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
seccomp: support riscv64 Corresponds to containerd PR 6882 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-05-02 08:08:56 +00:00
{
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"riscv_flush_icache",
},
Action: specs.ActAllow,
},
Includes: &Filter{
Arches: []string{"riscv64"},
},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"open_by_handle_at",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_DAC_READ_SEARCH"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"bpf",
"clone",
seccomp: add support for "clone3" syscall in default policy If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: https://github.com/opencontainers/runc/commit/7a8d7162f9d72f20d83eaa36aeb5426deecd58f2 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: https://github.com/moby/moby/issues/42680 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-07-26 18:10:01 +00:00
"clone3",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"fanotify_init",
"fsconfig",
"fsmount",
"fsopen",
"fspick",
"lookup_dcookie",
"mount",
Allow different syscalls from kernels 5.12 -> 5.16 Kernel 5.12: mount_setattr: needs CAP_SYS_ADMIN Kernel 5.14: quotactl_fd: needs CAP_SYS_ADMIN memfd_secret: always allowed Kernel 5.15: process_mrelease: always allowed Kernel 5.16: futex_waitv: always allowed Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-13 09:20:48 +00:00
"mount_setattr",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"move_mount",
"name_to_handle_at",
"open_tree",
"perf_event_open",
"quotactl",
Allow different syscalls from kernels 5.12 -> 5.16 Kernel 5.12: mount_setattr: needs CAP_SYS_ADMIN Kernel 5.14: quotactl_fd: needs CAP_SYS_ADMIN memfd_secret: always allowed Kernel 5.15: process_mrelease: always allowed Kernel 5.16: futex_waitv: always allowed Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-13 09:20:48 +00:00
"quotactl_fd",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
"setdomainname",
"sethostname",
"setns",
"syslog",
"umount",
"umount2",
"unshare",
},
Action: specs.ActAllow,
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_ADMIN"},
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"clone",
},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0,
Op: specs.OpMaskedEqual,
},
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Excludes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_ADMIN"},
Arches: []string{"s390", "s390x"},
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"clone",
},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 1,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0,
Op: specs.OpMaskedEqual,
},
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
},
Comment: "s390 parameter ordering for clone is different",
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Arches: []string{"s390", "s390x"},
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Excludes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_ADMIN"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
seccomp: add support for "clone3" syscall in default policy If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: https://github.com/opencontainers/runc/commit/7a8d7162f9d72f20d83eaa36aeb5426deecd58f2 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: https://github.com/moby/moby/issues/42680 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-07-26 18:10:01 +00:00
{
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"clone3",
},
Action: specs.ActErrno,
ErrnoRet: &nosys,
},
Excludes: &Filter{
Caps: []string{"CAP_SYS_ADMIN"},
},
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"reboot",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_BOOT"},
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"chroot",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_CHROOT"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"delete_module",
"init_module",
"finit_module",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_MODULE"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"acct",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_PACCT"},
},
add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:48:31 +00:00
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"kcmp",
"pidfd_getfd",
"process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_PTRACE"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"iopl",
"ioperm",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_RAWIO"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"settimeofday",
"stime",
"clock_settime",
profiles: seccomp: allow clock_settime64 when CAP_SYS_TIME is added Signed-off-by: Bastien Pascard <bpascard@hotmail.com>
2022-07-06 21:45:13 +00:00
"clock_settime64",
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_TIME"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"vhangup",
},
Action: specs.ActAllow,
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-07-13 13:41:30 +00:00
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
change seccomp blacklist to whitelist Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-29 21:06:10 +00:00
},
Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile * Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
2018-06-08 15:41:48 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: specs.ActAllow,
Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile * Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
2018-06-08 15:41:48 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile * Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
2018-06-08 15:41:48 +00:00
Caps: []string{"CAP_SYS_NICE"},
},
},
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Fix #37897 See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-09-27 21:27:05 +00:00
{
seccomp.Syscall: embed runtime-spec Syscall type This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:30:14 +00:00
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"syslog",
},
Action: specs.ActAllow,
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Fix #37897 See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-09-27 21:27:05 +00:00
},
profiles/seccomp.Syscall: use pointers and omitempty These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-09 13:46:50 +00:00
Includes: &Filter{
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Fix #37897 See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-09-27 21:27:05 +00:00
Caps: []string{"CAP_SYSLOG"},
},
},
seccomp: allow "bpf", "perf_event_open", gated by CAP_BPF, CAP_PERFMON Update the profile to make use of CAP_BPF and CAP_PERFMON capabilities. Prior to kernel 5.8, bpf and perf_event_open required CAP_SYS_ADMIN. This change enables finer control of the privilege setting, thus allowing us to run certain system tracing tools with minimal privileges. Based on the original patch from Henry Wang in the containerd repository. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:34:09 +00:00
{
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"bpf",
},
Action: specs.ActAllow,
},
Includes: &Filter{
Caps: []string{"CAP_BPF"},
},
},
{
LinuxSyscall: specs.LinuxSyscall{
Names: []string{
"perf_event_open",
},
Action: specs.ActAllow,
},
Includes: &Filter{
Caps: []string{"CAP_PERFMON"},
},
},
Align default seccomp profile with selected capabilities Currently the default seccomp profile is fixed. This changes it so that it varies depending on the Linux capabilities selected with the --cap-add and --cap-drop options. Without this, if a user adds privileges, eg to allow ptrace with --cap-add sys_ptrace then still cannot actually use ptrace as it is still blocked by seccomp, so they will probably disable seccomp or use --privileged. With this change the syscalls that are needed for the capability are also allowed by the seccomp profile based on the selected capabilities. While this patch makes it easier to do things with for example cap_sys_admin enabled, as it will now allow creating new namespaces and use of mount, it still allows less than --cap-add cap_sys_admin --security-opt seccomp:unconfined would have previously. It is not recommended that users run containers with cap_sys_admin as this does give full access to the host machine. It also cleans up some architecture specific system calls to be only selected when needed. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-06 14:17:41 +00:00
}
seccomp: Use explicit DefaultErrnoRet Since commit "seccomp: Sync fields with runtime-spec fields" (5d244675bdb23e8fce427036c03517243f344cd4) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-30 14:47:17 +00:00
errnoRet := uint(unix.EPERM)
seccomp: move seccomp types from api into seccomp profile These types were not used in the API, so could not come up with a reason why they were in that package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 16:14:16 +00:00
return &Seccomp{
seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags This patch, similar to d92739713c633c155c0f3d8065c8278b1d8a44e7, embeds the `LinuxSeccomp` type of the runtime-spec, so that we can support all options provided by the spec, and decorates it with our own fields. With this, profiles can make use of the recently added "Flags" field, to specify flags that must be passed to seccomp(2) when installing the filter. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 15:55:04 +00:00
LinuxSeccomp: specs.LinuxSeccomp{
seccomp: Use explicit DefaultErrnoRet Since commit "seccomp: Sync fields with runtime-spec fields" (5d244675bdb23e8fce427036c03517243f344cd4) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-30 14:47:17 +00:00
DefaultAction: specs.ActErrno,
DefaultErrnoRet: &errnoRet,
seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags This patch, similar to d92739713c633c155c0f3d8065c8278b1d8a44e7, embeds the `LinuxSeccomp` type of the runtime-spec, so that we can support all options provided by the spec, and decorates it with our own fields. With this, profiles can make use of the recently added "Flags" field, to specify flags that must be passed to seccomp(2) when installing the filter. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 15:55:04 +00:00
},
ArchMap: arches(),
Syscalls: syscalls,
Align default seccomp profile with selected capabilities Currently the default seccomp profile is fixed. This changes it so that it varies depending on the Linux capabilities selected with the --cap-add and --cap-drop options. Without this, if a user adds privileges, eg to allow ptrace with --cap-add sys_ptrace then still cannot actually use ptrace as it is still blocked by seccomp, so they will probably disable seccomp or use --privileged. With this change the syscalls that are needed for the capability are also allowed by the seccomp profile based on the selected capabilities. While this patch makes it easier to do things with for example cap_sys_admin enabled, as it will now allow creating new namespaces and use of mount, it still allows less than --cap-add cap_sys_admin --security-opt seccomp:unconfined would have previously. It is not recommended that users run containers with cap_sys_admin as this does give full access to the host machine. It also cleans up some architecture specific system calls to be only selected when needed. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-06 14:17:41 +00:00
}
set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-18 18:01:58 +00:00
}