kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #22991 from justincormack/seccompchown

Browse source 
Do not restrict chown via seccomp, just let capabilities control access
This commit is contained in:
Sebastiaan van Stijn 2016-05-26 11:19:10 +02:00
commit 214ab22582
2 changed files with 71 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

75
profiles/seccomp/default.json
View file

@ -56,6 +56,16 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "chown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "clock_getres", "name": "clock_getres",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -211,6 +221,21 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "fchown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "fchown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "fchownat",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "fcntl", "name": "fcntl",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -556,6 +581,16 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "lchown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "lchown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "lgetxattr", "name": "lgetxattr",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -1522,41 +1557,6 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "chown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "fchown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "fchown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "fchownat",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "lchown",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "lchown32",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "chroot", "name": "chroot",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -1573,11 +1573,6 @@
"op": "SCMP_CMP_MASKED_EQ" "op": "SCMP_CMP_MASKED_EQ"
} }
] ]
},
{
"name": "fchown",
"action": "SCMP_ACT_ALLOW",
"args": []
} }
] ]
} }

85
profiles/seccomp/seccomp_default.go
View file

@ -88,6 +88,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "chown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "chown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "clock_getres", Name: "clock_getres",
Action: types.ActAllow, Action: types.ActAllow,
@ -243,6 +254,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "fchown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "fchown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "fchownat",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "fcntl", Name: "fcntl",
Action: types.ActAllow, Action: types.ActAllow,
@ -588,6 +614,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "lchown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "lchown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "lgetxattr", Name: "lgetxattr",
Action: types.ActAllow, Action: types.ActAllow,
@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
var cap string var cap string
for _, cap = range rs.Process.Capabilities { for _, cap = range rs.Process.Capabilities {
switch cap { switch cap {
case "CAP_CHOWN":
syscalls = append(syscalls, []*types.Syscall{
{
Name: "chown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "chown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "fchown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "fchown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "fchownat",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "lchown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "lchown32",
Action: types.ActAllow,
Args: []*types.Arg{},
},
}...)
case "CAP_DAC_READ_SEARCH": case "CAP_DAC_READ_SEARCH":
syscalls = append(syscalls, []*types.Syscall{ syscalls = append(syscalls, []*types.Syscall{
{ {
@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
}...) }...)
} }
// We need some additional syscalls in this case see #22252
if !rs.Process.NoNewPrivileges {
syscalls = append(syscalls, []*types.Syscall{
{
Name: "fchown",
Action: types.ActAllow,
Args: []*types.Arg{},
},
}...)
}
return &types.Seccomp{ return &types.Seccomp{
DefaultAction: types.ActErrno, DefaultAction: types.ActErrno,
Architectures: arches(), Architectures: arches(),