From 7b7d1132e870d4b6265721b673dbb429cc835d6a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 18 Aug 2022 18:34:09 +0200 Subject: [PATCH] seccomp: allow "bpf", "perf_event_open", gated by CAP_BPF, CAP_PERFMON Update the profile to make use of CAP_BPF and CAP_PERFMON capabilities. Prior to kernel 5.8, bpf and perf_event_open required CAP_SYS_ADMIN. This change enables finer control of the privilege setting, thus allowing us to run certain system tracing tools with minimal privileges. Based on the original patch from Henry Wang in the containerd repository. Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default.json | 22 ++++++++++++++++++++++ profiles/seccomp/default_linux.go | 22 ++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index d71499f1bc..921b2bd3fe 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -790,6 +790,28 @@ "CAP_SYSLOG" ] } + }, + { + "names": [ + "bpf" + ], + "action": "SCMP_ACT_ALLOW", + "includes": { + "caps": [ + "CAP_BPF" + ] + } + }, + { + "names": [ + "perf_event_open" + ], + "action": "SCMP_ACT_ALLOW", + "includes": { + "caps": [ + "CAP_PERFMON" + ] + } } ] } \ No newline at end of file diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 45d53ab7af..775ab275d6 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -777,6 +777,28 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYSLOG"}, }, }, + { + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "bpf", + }, + Action: specs.ActAllow, + }, + Includes: &Filter{ + Caps: []string{"CAP_BPF"}, + }, + }, + { + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "perf_event_open", + }, + Action: specs.ActAllow, + }, + Includes: &Filter{ + Caps: []string{"CAP_PERFMON"}, + }, + }, } errnoRet := uint(unix.EPERM)