kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Add new syscalls in libseccomp 2.3.0 to seccomp default profile

Browse source 
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.

The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration

The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack 2016-03-16 21:17:32 +00:00
parent f2b1b44de8
commit 96896f2d0b
3 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/security/seccomp.md
View file

@ -127,6 +127,7 @@ the reason each syscall is blocked rather than white-listed.
| `umount2` | Should be a privileged operation. | | `umount2` | Should be a privileged operation. |
| `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. | | `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. |
| `uselib` | Older syscall related to shared libraries, unused for a long time. | | `uselib` | Older syscall related to shared libraries, unused for a long time. |
| `userfaultfd` | Userspace page fault handling, largely needed for process migration. |
| `ustat` | Obsolete syscall. | | `ustat` | Obsolete syscall. |
| `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | | `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. |
| `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | | `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. |

10
profiles/seccomp/default.json
View file

@ -113,6 +113,11 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "copy_file_range",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "creat", "name": "creat",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -713,6 +718,11 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "mlock2",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "mlockall", "name": "mlockall",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",

10
profiles/seccomp/seccomp_default.go
View file

@ -145,6 +145,11 @@ var DefaultProfile = &types.Seccomp{
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "copy_file_range",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "creat", Name: "creat",
Action: types.ActAllow, Action: types.ActAllow,
@ -745,6 +750,11 @@ var DefaultProfile = &types.Seccomp{
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "mlock2",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "mlockall", Name: "mlockall",
Action: types.ActAllow, Action: types.ActAllow,