kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Enable `process_vm_readv` and `process_vm_writev` for kernel > 4.8 

These syscalls were disabled in #18971
due to them requiring CAP_PTRACE. CAP_PTRACE was blocked by default due
to a ptrace related exploit. This has been patched in the Linux kernel
(version 4.8) and thus `ptrace` has been re-enabled. However, these
associated syscalls seem to have been left behind. This commit brings
them in line with `ptrace`, and re-enables it for kernel > 4.8.

Signed-off-by: clubby789 <jamie@hill-daniel.co.uk>
This commit is contained in:
clubby789 2021-03-04 17:12:01 +00:00
parent 2ae2ddf51d
commit d39b075302
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
profiles/seccomp/default.json
View File

@ -401,6 +401,8 @@
}, },
{ {
"names": [ "names": [
"process_vm_readv",
"process_vm_writev",
"ptrace" "ptrace"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",

6
profiles/seccomp/default_linux.go
View File

@ -390,7 +390,11 @@ func DefaultProfile() *Seccomp {
Args: []*specs.LinuxSeccompArg{}, Args: []*specs.LinuxSeccompArg{},
}, },
{ {
Names: []string{"ptrace"}, Names: []string{
"process_vm_readv",
"process_vm_writev",
"ptrace",
},
Action: specs.ActAllow, Action: specs.ActAllow,
Includes: Filter{ Includes: Filter{
MinKernel: &KernelVersion{4, 8}, MinKernel: &KernelVersion{4, 8},