From cd456433ea2a02ed0016314fc4959b5f1a9c40a3 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 2 May 2017 15:05:01 +0100 Subject: [PATCH] seccomp: Allow personality with UNAME26 bit set. From personality(2): Have uname(2) report a 2.6.40+ version number rather than a 3.x version number. Added as a stopgap measure to support broken applications that could not handle the kernel version-numbering switch from 2.6.x to 3.x. This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32". Fixes: #32839 Signed-off-by: Ian Campbell --- profiles/seccomp/default.json | 34 +++++++++++++++++++++++++++++ profiles/seccomp/seccomp_default.go | 22 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 01ff1a4c56..364505090d 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -398,6 +398,40 @@ "includes": {}, "excludes": {} }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, { "names": [ "personality" diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index 42bc3baa4b..6a8dc4ed3b 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -377,6 +377,28 @@ func DefaultProfile() *types.Seccomp { }, }, }, + { + Names: []string{"personality"}, + Action: types.ActAllow, + Args: []*types.Arg{ + { + Index: 0, + Value: 0x20000, + Op: types.OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: types.ActAllow, + Args: []*types.Arg{ + { + Index: 0, + Value: 0x20008, + Op: types.OpEqualTo, + }, + }, + }, { Names: []string{"personality"}, Action: types.ActAllow,