diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 212ff49942..51ec3d43bb 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -56,6 +56,16 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "chown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "clock_getres", "action": "SCMP_ACT_ALLOW", @@ -211,6 +221,21 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "fchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchownat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "fcntl", "action": "SCMP_ACT_ALLOW", @@ -556,6 +581,16 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "lchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "lgetxattr", "action": "SCMP_ACT_ALLOW", @@ -1522,41 +1557,6 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, - { - "name": "chown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchownat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, { "name": "chroot", "action": "SCMP_ACT_ALLOW", @@ -1573,11 +1573,6 @@ "op": "SCMP_CMP_MASKED_EQ" } ] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] } ] } \ No newline at end of file diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index a088412351..a6e2c653be 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -88,6 +88,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "chown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "chown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { Name: "clock_getres", Action: types.ActAllow, @@ -243,6 +254,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "fchown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "fchown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "fchownat", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, { Name: "fcntl", Action: types.ActAllow, @@ -588,6 +614,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "lchown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "lchown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, { Name: "lgetxattr", Action: types.ActAllow, @@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { var cap string for _, cap = range rs.Process.Capabilities { switch cap { - case "CAP_CHOWN": - syscalls = append(syscalls, []*types.Syscall{ - { - Name: "chown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "chown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchownat", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "lchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "lchown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - }...) case "CAP_DAC_READ_SEARCH": syscalls = append(syscalls, []*types.Syscall{ { @@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { }...) } - // We need some additional syscalls in this case see #22252 - if !rs.Process.NoNewPrivileges { - syscalls = append(syscalls, []*types.Syscall{ - { - Name: "fchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - }...) - } - return &types.Seccomp{ DefaultAction: types.ActErrno, Architectures: arches(),