kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Merge pull request #38137 from tonistiigi/seccomp-ptrace 

seccomp: allow ptrace(2) for 4.8+ kernels
This commit is contained in:
Justin Cormack 2019-02-05 13:47:43 +00:00 committed by GitHub
parent e7a9a7cdbc 1124543ca8
commit 1603af9689
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 53 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/types/seccomp.go
View File

@ -77,8 +77,9 @@ type Arg struct {
// Filter is used to conditionally apply Seccomp rules // Filter is used to conditionally apply Seccomp rules
type Filter struct { type Filter struct {
Caps []string `json:"caps,omitempty"` Caps []string `json:"caps,omitempty"`
Arches []string `json:"arches,omitempty"` Arches []string `json:"arches,omitempty"`
MinKernel string `json:"minKernel,omitempty"`
} }
// Syscall is used to match a group of syscalls in Seccomp // Syscall is used to match a group of syscalls in Seccomp

12
profiles/seccomp/default.json
View File

@ -366,6 +366,18 @@
"includes": {}, "includes": {},
"excludes": {} "excludes": {}
}, },
{
"names": [
"ptrace"
],
"action": "SCMP_ACT_ALLOW",
"args": null,
"comment": "",
"includes": {
"minKernel": "4.8.0"
},
"excludes": {}
},
{ {
"names": [ "names": [
"personality" "personality"

32
profiles/seccomp/seccomp.go
View File

@ -8,7 +8,8 @@ import (
"fmt" "fmt"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/docker/docker/pkg/parsers/kernel"
specs "github.com/opencontainers/runtime-spec/specs-go"
libseccomp "github.com/seccomp/libseccomp-golang" libseccomp "github.com/seccomp/libseccomp-golang"
) )
@ -95,6 +96,21 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e
newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
var currentKernelVersion *kernel.VersionInfo
kernelGreaterEqualThan := func(v string) (bool, error) {
version, err := kernel.ParseRelease(v)
if err != nil {
return false, err
}
if currentKernelVersion == nil {
currentKernelVersion, err = kernel.GetKernelVersion()
if err != nil {
return false, err
}
}
return kernel.CompareKernelVersion(*version, *currentKernelVersion) <= 0, nil
}
Loop: Loop:
// Loop through all syscall blocks and convert them to libcontainer format after filtering them // Loop through all syscall blocks and convert them to libcontainer format after filtering them
for _, call := range config.Syscalls { for _, call := range config.Syscalls {
@ -110,6 +126,13 @@ Loop:
} }
} }
} }
if call.Excludes.MinKernel != "" {
if ok, err := kernelGreaterEqualThan(call.Excludes.MinKernel); err != nil {
return nil, err
} else if ok {
continue Loop
}
}
if len(call.Includes.Arches) > 0 { if len(call.Includes.Arches) > 0 {
if !inSlice(call.Includes.Arches, arch) { if !inSlice(call.Includes.Arches, arch) {
continue Loop continue Loop
@ -122,6 +145,13 @@ Loop:
} }
} }
} }
if call.Includes.MinKernel != "" {
if ok, err := kernelGreaterEqualThan(call.Includes.MinKernel); err != nil {
return nil, err
} else if !ok {
continue Loop
}
}
if call.Name != "" && len(call.Names) != 0 { if call.Name != "" && len(call.Names) != 0 {
return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")

7
profiles/seccomp/seccomp_default.go
View File

@ -356,6 +356,13 @@ func DefaultProfile() *types.Seccomp {
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Names: []string{"ptrace"},
Action: types.ActAllow,
Includes: types.Filter{
MinKernel: "4.8.0",
},
},
{ {
Names: []string{"personality"}, Names: []string{"personality"},
Action: types.ActAllow, Action: types.ActAllow,