kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

seccomp: allow ptrace for 4.8+ kernels

Browse source 
4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.

93e35efb8d

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This commit is contained in:
Tonis Tiigi 2018-11-02 21:00:15 -07:00
parent 35985ca087
commit 1124543ca8
4 changed files with 53 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
api/types/seccomp.go
View file

@ -79,6 +79,7 @@ type Arg struct {
type Filter struct { type Filter struct {
Caps []string `json:"caps,omitempty"` Caps []string `json:"caps,omitempty"`
Arches []string `json:"arches,omitempty"` Arches []string `json:"arches,omitempty"`
MinKernel string `json:"minKernel,omitempty"`
} }
// Syscall is used to match a group of syscalls in Seccomp // Syscall is used to match a group of syscalls in Seccomp

12
profiles/seccomp/default.json
View file

@ -366,6 +366,18 @@
"includes": {}, "includes": {},
"excludes": {} "excludes": {}
}, },
{
"names": [
"ptrace"
],
"action": "SCMP_ACT_ALLOW",
"args": null,
"comment": "",
"includes": {
"minKernel": "4.8.0"
},
"excludes": {}
},
{ {
"names": [ "names": [
"personality" "personality"

32
profiles/seccomp/seccomp.go
View file

@ -8,7 +8,8 @@ import (
"fmt" "fmt"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/docker/docker/pkg/parsers/kernel"
specs "github.com/opencontainers/runtime-spec/specs-go"
libseccomp "github.com/seccomp/libseccomp-golang" libseccomp "github.com/seccomp/libseccomp-golang"
) )
@ -95,6 +96,21 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
var currentKernelVersion *kernel.VersionInfo
kernelGreaterEqualThan := func(v string) (bool, error) {
version, err := kernel.ParseRelease(v)
if err != nil {
return false, err
}
if currentKernelVersion == nil {
currentKernelVersion, err = kernel.GetKernelVersion()
if err != nil {
return false, err
}
}
return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
}
Loop: Loop:
// Loop through all syscall blocks and convert them to libcontainer format after filtering them // Loop through all syscall blocks and convert them to libcontainer format after filtering them
for _, call := range config.Syscalls { for _, call := range config.Syscalls {
@ -110,6 +126,13 @@ Loop:
} }
} }
} }
if call.Excludes.MinKernel != "" {
if ok, err := kernelGreaterEqualThan(call.Excludes.MinKernel); err != nil {
return nil, err
} else if ok {
continue Loop
}
}
if len(call.Includes.Arches) > 0 { if len(call.Includes.Arches) > 0 {
if !inSlice(call.Includes.Arches, arch) { if !inSlice(call.Includes.Arches, arch) {
continue Loop continue Loop
@ -122,6 +145,13 @@ Loop:
} }
} }
} }
if call.Includes.MinKernel != "" {
if ok, err := kernelGreaterEqualThan(call.Includes.MinKernel); err != nil {
return nil, err
} else if !ok {
continue Loop
}
}
if call.Name != "" && len(call.Names) != 0 { if call.Name != "" && len(call.Names) != 0 {
return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")

7
profiles/seccomp/seccomp_default.go
View file

@ -356,6 +356,13 @@ func DefaultProfile() *types.Seccomp {
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Names: []string{"ptrace"},
Action: types.ActAllow,
Includes: types.Filter{
MinKernel: "4.8.0",
},
},
{ {
Names: []string{"personality"}, Names: []string{"personality"},
Action: types.ActAllow, Action: types.ActAllow,