diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 786e5658ff..632cefbe0a 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -394,7 +394,6 @@ "writev" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": {}, "excludes": {} @@ -406,7 +405,6 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "args": null, "comment": "", "includes": { "minKernel": "4.8" @@ -498,7 +496,6 @@ "sync_file_range2" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "arches": [ @@ -517,7 +514,6 @@ "set_tls" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "arches": [ @@ -532,7 +528,6 @@ "arch_prctl" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "arches": [ @@ -547,7 +542,6 @@ "modify_ldt" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "arches": [ @@ -565,7 +559,6 @@ "s390_runtime_instr" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "arches": [ @@ -580,7 +573,6 @@ "open_by_handle_at" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -614,7 +606,6 @@ "unshare" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -677,7 +668,6 @@ "reboot" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -691,7 +681,6 @@ "chroot" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -707,7 +696,6 @@ "finit_module" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -721,7 +709,6 @@ "acct" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -740,7 +727,6 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -755,7 +741,6 @@ "ioperm" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -771,7 +756,6 @@ "clock_settime" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -785,7 +769,6 @@ "vhangup" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -801,7 +784,6 @@ "set_mempolicy" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ @@ -815,7 +797,6 @@ "syslog" ], "action": "SCMP_ACT_ALLOW", - "args": [], "comment": "", "includes": { "caps": [ diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 32778e5116..f0319dac60 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -44,525 +44,547 @@ func arches() []Architecture { func DefaultProfile() *Seccomp { syscalls := []*Syscall{ { - Names: []string{ - "accept", - "accept4", - "access", - "adjtimex", - "alarm", - "bind", - "brk", - "capget", - "capset", - "chdir", - "chmod", - "chown", - "chown32", - "clock_adjtime", - "clock_adjtime64", - "clock_getres", - "clock_getres_time64", - "clock_gettime", - "clock_gettime64", - "clock_nanosleep", - "clock_nanosleep_time64", - "close", - "close_range", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fadvise64", - "fadvise64_64", - "fallocate", - "fanotify_mark", - "fchdir", - "fchmod", - "fchmodat", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "fdatasync", - "fgetxattr", - "flistxattr", - "flock", - "fork", - "fremovexattr", - "fsetxattr", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "fsync", - "ftruncate", - "ftruncate64", - "futex", - "futex_time64", - "futimesat", - "getcpu", - "getcwd", - "getdents", - "getdents64", - "getegid", - "getegid32", - "geteuid", - "geteuid32", - "getgid", - "getgid32", - "getgroups", - "getgroups32", - "getitimer", - "getpeername", - "getpgid", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "get_robust_list", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "get_thread_area", - "gettid", - "gettimeofday", - "getuid", - "getuid32", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "io_cancel", - "ioctl", - "io_destroy", - "io_getevents", - "io_pgetevents", - "io_pgetevents_time64", - "ioprio_get", - "ioprio_set", - "io_setup", - "io_submit", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", - "ipc", - "kill", - "lchown", - "lchown32", - "lgetxattr", - "link", - "linkat", - "listen", - "listxattr", - "llistxattr", - "_llseek", - "lremovexattr", - "lseek", - "lsetxattr", - "lstat", - "lstat64", - "madvise", - "membarrier", - "memfd_create", - "mincore", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "mlock", - "mlock2", - "mlockall", - "mmap", - "mmap2", - "mprotect", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "mremap", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "msync", - "munlock", - "munlockall", - "munmap", - "nanosleep", - "newfstatat", - "_newselect", - "open", - "openat", - "openat2", - "pause", - "pidfd_open", - "pidfd_send_signal", - "pipe", - "pipe2", - "poll", - "ppoll", - "ppoll_time64", - "prctl", - "pread64", - "preadv", - "preadv2", - "prlimit64", - "pselect6", - "pselect6_time64", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readahead", - "readlink", - "readlinkat", - "readv", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "remap_file_pages", - "removexattr", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "rt_tgsigqueueinfo", - "sched_getaffinity", - "sched_getattr", - "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", - "sched_getscheduler", - "sched_rr_get_interval", - "sched_rr_get_interval_time64", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "sched_yield", - "seccomp", - "select", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "send", - "sendfile", - "sendfile64", - "sendmmsg", - "sendmsg", - "sendto", - "setfsgid", - "setfsgid32", - "setfsuid", - "setfsuid32", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setpgid", - "setpriority", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setrlimit", - "set_robust_list", - "setsid", - "setsockopt", - "set_thread_area", - "set_tid_address", - "setuid", - "setuid32", - "setxattr", - "shmat", - "shmctl", - "shmdt", - "shmget", - "shutdown", - "sigaltstack", - "signalfd", - "signalfd4", - "sigprocmask", - "sigreturn", - "socket", - "socketcall", - "socketpair", - "splice", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "sync", - "sync_file_range", - "syncfs", - "sysinfo", - "tee", - "tgkill", - "time", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - "tkill", - "truncate", - "truncate64", - "ugetrlimit", - "umask", - "uname", - "unlink", - "unlinkat", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - "vfork", - "vmsplice", - "wait4", - "waitid", - "waitpid", - "write", - "writev", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_adjtime", + "clock_adjtime64", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "close", + "close_range", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "membarrier", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "openat2", + "pause", + "pidfd_open", + "pidfd_send_signal", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pselect6_time64", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, }, { - Names: []string{ - "process_vm_readv", - "process_vm_writev", - "ptrace", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, Includes: Filter{ MinKernel: &KernelVersion{4, 8}, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x0, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x0008, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0008, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x20000, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20000, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x20008, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20008, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0xffffffff, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0xffffffff, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{ - "sync_file_range2", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "sync_file_range2", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"ppc64le"}, }, }, { - Names: []string{ - "arm_fadvise64_64", - "arm_sync_file_range", - "sync_file_range2", - "breakpoint", - "cacheflush", - "set_tls", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"arm", "arm64"}, }, }, { - Names: []string{ - "arch_prctl", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "arch_prctl", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"amd64", "x32"}, }, }, { - Names: []string{ - "modify_ldt", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "modify_ldt", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"amd64", "x32", "x86"}, }, }, { - Names: []string{ - "s390_pci_mmio_read", - "s390_pci_mmio_write", - "s390_runtime_instr", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Arches: []string{"s390", "s390x"}, }, }, { - Names: []string{ - "open_by_handle_at", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "open_by_handle_at", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, { - Names: []string{ - "bpf", - "clone", - "fanotify_init", - "fsconfig", - "fsmount", - "fsopen", - "fspick", - "lookup_dcookie", - "mount", - "move_mount", - "name_to_handle_at", - "open_tree", - "perf_event_open", - "quotactl", - "setdomainname", - "sethostname", - "setns", - "syslog", - "umount", - "umount2", - "unshare", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "bpf", + "clone", + "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", + "lookup_dcookie", + "mount", + "move_mount", + "name_to_handle_at", + "open_tree", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, { - Names: []string{ - "clone", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, - ValueTwo: 0, - Op: specs.OpMaskedEqual, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, }, }, Excludes: Filter{ @@ -571,16 +593,18 @@ func DefaultProfile() *Seccomp { }, }, { - Names: []string{ - "clone", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 1, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, - ValueTwo: 0, - Op: specs.OpMaskedEqual, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 1, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, }, }, Comment: "s390 parameter ordering for clone is different", @@ -592,113 +616,123 @@ func DefaultProfile() *Seccomp { }, }, { - Names: []string{ - "reboot", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "reboot", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, }, { - Names: []string{ - "chroot", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "chroot", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, }, { - Names: []string{ - "delete_module", - "init_module", - "finit_module", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "delete_module", + "init_module", + "finit_module", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, }, { - Names: []string{ - "acct", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "acct", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, }, { - Names: []string{ - "kcmp", - "pidfd_getfd", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "ptrace", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "kcmp", + "pidfd_getfd", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, }, { - Names: []string{ - "iopl", - "ioperm", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "iopl", + "ioperm", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, }, { - Names: []string{ - "settimeofday", - "stime", - "clock_settime", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "settimeofday", + "stime", + "clock_settime", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_TIME"}, }, }, { - Names: []string{ - "vhangup", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "vhangup", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYS_NICE"}, }, }, { - Names: []string{ - "syslog", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "syslog", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, Includes: Filter{ Caps: []string{"CAP_SYSLOG"}, }, diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json index 848045899b..21dea414d5 100644 --- a/profiles/seccomp/fixtures/example.json +++ b/profiles/seccomp/fixtures/example.json @@ -22,6 +22,12 @@ "name": "close", "action": "SCMP_ACT_ALLOW", "args": [] + }, + { + "name": "syslog", + "action": "SCMP_ACT_ERRNO", + "errnoRet": 12345, + "args": [] } ] } diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go index d2a21cddc4..843fd6bbe7 100644 --- a/profiles/seccomp/seccomp.go +++ b/profiles/seccomp/seccomp.go @@ -40,15 +40,18 @@ type Filter struct { MinKernel *KernelVersion `json:"minKernel,omitempty"` } -// Syscall is used to match a group of syscalls in Seccomp +// Syscall is used to match a group of syscalls in Seccomp. It extends the +// runtime-spec Syscall type, adding a "Name" field for backward compatibility +// with older JSON representations, additional "Comment" metadata, and conditional +// rules ("Includes", "Excludes") used to generate a runtime-spec Seccomp profile +// based on the container (capabilities) and host's (arch, kernel) configuration. type Syscall struct { - Name string `json:"name,omitempty"` - Names []string `json:"names,omitempty"` - Action specs.LinuxSeccompAction `json:"action"` - Args []*specs.LinuxSeccompArg `json:"args"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` - Excludes Filter `json:"excludes"` + specs.LinuxSyscall + // Deprecated: kept for backward compatibility with old JSON profiles, use Names instead + Name string `json:"name,omitempty"` + Comment string `json:"comment"` + Includes Filter `json:"includes"` + Excludes Filter `json:"excludes"` } // KernelVersion holds information about the kernel. diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go index 566f173acd..b675386126 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go @@ -150,29 +150,15 @@ Loop: } } - if call.Name != "" && len(call.Names) != 0 { - return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") + if call.Name != "" { + if len(call.Names) != 0 { + return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") + } + call.Names = append(call.Names, call.Name) } - if call.Name != "" { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args)) - } else { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args)) - } + newConfig.Syscalls = append(newConfig.Syscalls, call.LinuxSyscall) } return newConfig, nil } - -func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { - newCall := specs.LinuxSyscall{ - Names: names, - Action: action, - } - - // Loop through all the arguments of the syscall and convert them - for _, arg := range args { - newCall.Args = append(newCall.Args, *arg) - } - return newCall -} diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go index f4cfb4799b..506410d50b 100644 --- a/profiles/seccomp/seccomp_test.go +++ b/profiles/seccomp/seccomp_test.go @@ -18,9 +18,45 @@ func TestLoadProfile(t *testing.T) { t.Fatal(err) } rs := createSpec() - if _, err := LoadProfile(string(f), &rs); err != nil { + p, err := LoadProfile(string(f), &rs) + if err != nil { t.Fatal(err) } + var expectedErrno uint = 12345 + expected := specs.LinuxSeccomp{ + DefaultAction: "SCMP_ACT_ERRNO", + Syscalls: []specs.LinuxSyscall{ + { + Names: []string{"clone"}, + Action: "SCMP_ACT_ALLOW", + Args: []specs.LinuxSeccompArg{{ + Index: 0, + Value: 2114060288, + ValueTwo: 0, + Op: "SCMP_CMP_MASKED_EQ", + }}, + }, + { + + Names: []string{"open"}, + Action: "SCMP_ACT_ALLOW", + Args: []specs.LinuxSeccompArg{}, + }, + { + Names: []string{"close"}, + Action: "SCMP_ACT_ALLOW", + Args: []specs.LinuxSeccompArg{}, + }, + { + Names: []string{"syslog"}, + Action: "SCMP_ACT_ERRNO", + ErrnoRet: &expectedErrno, + Args: []specs.LinuxSeccompArg{}, + }, + }, + } + + assert.DeepEqual(t, expected, *p) } // TestLoadLegacyProfile tests loading a seccomp profile in the old format