From a1747b3cc861c00803a67e5a61dce73db6ac8eee Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Tue, 29 Dec 2015 13:48:31 -0800 Subject: [PATCH] add 32bit syscalls to whitelist Signed-off-by: Jessica Frazelle --- daemon/execdriver/native/seccomp_default.go | 159 +++++++++++++++++++- 1 file changed, 157 insertions(+), 2 deletions(-) diff --git a/daemon/execdriver/native/seccomp_default.go b/daemon/execdriver/native/seccomp_default.go index 6021a0b4c5..946993e44d 100644 --- a/daemon/execdriver/native/seccomp_default.go +++ b/daemon/execdriver/native/seccomp_default.go @@ -71,6 +71,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "chown32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "chroot", Action: configs.Allow, @@ -208,6 +213,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "fadvise64_64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "fallocate", Action: configs.Allow, @@ -243,6 +253,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "fchown32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "fchownat", Action: configs.Allow, @@ -253,6 +268,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "fcntl64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "fdatasync", Action: configs.Allow, @@ -293,11 +313,26 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "fstat64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, + { + Name: "fstatat64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "fstatfs", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "fstatfs64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "fsync", Action: configs.Allow, @@ -308,6 +343,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "ftruncate64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "futex", Action: configs.Allow, @@ -343,21 +383,41 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getegid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "geteuid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "geteuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getgid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getgid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getgroups", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getgroups32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getitimer", Action: configs.Allow, @@ -403,11 +463,21 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getresgid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getresuid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getresuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getrlimit", Action: configs.Allow, @@ -458,6 +528,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "getuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "getxattr", Action: configs.Allow, @@ -533,6 +608,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "lchown32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "lgetxattr", Action: configs.Allow, @@ -583,6 +663,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "lstat64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "madvise", Action: configs.Allow, @@ -733,6 +818,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "_newselect", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "open", Action: configs.Allow, @@ -1008,6 +1098,11 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "sendfile64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "sendmmsg", Action: configs.Allow, @@ -1033,21 +1128,41 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setfsgid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setfsuid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setfsuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setgid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setgid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setgroups", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setgroups32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "sethostname", Action: configs.Allow, @@ -1073,21 +1188,41 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setregid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setresgid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setresgid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setresuid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setresuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setreuid", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "setreuid32", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "setrlimit", Action: configs.Allow, @@ -1119,12 +1254,12 @@ var defaultSeccompProfile = &configs.Seccomp{ Args: []*configs.Arg{}, }, { - Name: "settimeofday", + Name: "setuid", Action: configs.Allow, Args: []*configs.Arg{}, }, { - Name: "setuid", + Name: "setuid32", Action: configs.Allow, Args: []*configs.Arg{}, }, @@ -1193,11 +1328,21 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "stat64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "statfs", Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "statfs64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "symlink", Action: configs.Allow, @@ -1308,6 +1453,16 @@ var defaultSeccompProfile = &configs.Seccomp{ Action: configs.Allow, Args: []*configs.Arg{}, }, + { + Name: "truncate64", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, + { + Name: "ugetrlimit", + Action: configs.Allow, + Args: []*configs.Arg{}, + }, { Name: "umask", Action: configs.Allow,