mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #22991 from justincormack/seccompchown
Do not restrict chown via seccomp, just let capabilities control access
This commit is contained in:
Sebastiaan van Stijn
commit
214ab22582
2 changed files with 71 additions and 89 deletions
|
|
@ -56,6 +56,16 @@
|
|||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "chown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "chown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "clock_getres",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
|
|
@ -211,6 +221,21 @@
|
|||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchownat",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fcntl",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
|
|
@ -556,6 +581,16 @@
|
|||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "lchown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "lchown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "lgetxattr",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
|
|
@ -1522,41 +1557,6 @@
|
|||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "chown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "chown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "fchownat",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "lchown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "lchown32",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
},
|
||||
{
|
||||
"name": "chroot",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
|
|
@ -1573,11 +1573,6 @@
|
|||
"op": "SCMP_CMP_MASKED_EQ"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "fchown",
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": []
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -88,6 +88,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
|||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "chown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "chown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
|
||||
{
|
||||
Name: "clock_getres",
|
||||
Action: types.ActAllow,
|
||||
|
|
@ -243,6 +254,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
|||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchownat",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fcntl",
|
||||
Action: types.ActAllow,
|
||||
|
|
@ -588,6 +614,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
|||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "lchown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "lchown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "lgetxattr",
|
||||
Action: types.ActAllow,
|
||||
|
|
@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
|||
var cap string
|
||||
for _, cap = range rs.Process.Capabilities {
|
||||
switch cap {
|
||||
case "CAP_CHOWN":
|
||||
syscalls = append(syscalls, []*types.Syscall{
|
||||
{
|
||||
Name: "chown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "chown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "fchownat",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "lchown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
{
|
||||
Name: "lchown32",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
}...)
|
||||
case "CAP_DAC_READ_SEARCH":
|
||||
syscalls = append(syscalls, []*types.Syscall{
|
||||
{
|
||||
|
|
@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
|||
}...)
|
||||
}
|
||||
|
||||
// We need some additional syscalls in this case see #22252
|
||||
if !rs.Process.NoNewPrivileges {
|
||||
syscalls = append(syscalls, []*types.Syscall{
|
||||
{
|
||||
Name: "fchown",
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
},
|
||||
}...)
|
||||
}
|
||||
|
||||
return &types.Seccomp{
|
||||
DefaultAction: types.ActErrno,
|
||||
Architectures: arches(),
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue