1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

20 commits

Author SHA1 Message Date
Justin Cormack
e7a99ae5e1 Remove mlock and vhangup from the default seccomp profile
These syscalls are already blocked by the default capabilities:
mlock mlock2 mlockall require CAP_IPC_LOCK
vhangup requires CAP_SYS_TTY_CONFIG

There is therefore no reason to allow them in the default profile
as they cannot be used anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-04-21 18:23:59 +01:00
Jess Frazelle
1f40cc15c7 Merge pull request #21176 from cyphar/fix-apparmor-profile-execpath
profiles: apparmor: remove unused fields
2016-03-23 10:02:34 -07:00
Aleksa Sarai
d274456f3e profiles: apparmor: actually calculate version
In order to check that we can have the `ptrace` rule, we need to
actually calculate the version of apparmor_parser.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 19:03:19 +11:00
Aleksa Sarai
64fb664908 profiles: apparmor: remove unused fields
ExecPath isn't used by anything, and the signal apparmor rule isn't used
because it refers to a peer that we don't ship.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 19:01:49 +11:00
Tonis Tiigi
99b16b3523 Reuse profiles/seccomp package
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-19 14:15:39 -07:00
Justin Cormack
96896f2d0b Add new syscalls in libseccomp 2.3.0 to seccomp default profile
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.

The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration

The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-03-16 21:17:32 +00:00
Justin Cormack
5abd881883 Allow restart_syscall in default seccomp profile
Fixes #20818

This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-03-11 16:44:11 +00:00
Alexander Morozov
943ae26bc0 Merge pull request #20958 from calavera/basic_function_templates
Provide basic string manipulation functions for template executions.
2016-03-10 08:08:32 -08:00
allencloud
34b82a69b9 fix some typos.
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-03-10 10:09:27 +08:00
David Calavera
8514880997 Provide basic string manupilation functions for template executions.
This change centralizes the template manipulation in a single package
and adds basic string functions to their execution.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-09 19:37:12 -05:00
Justin Cormack
31410a6d79 Add ipc syscall to default seccomp profile
On 32 bit x86 this is a multiplexing syscall for the system V
ipc syscalls such as shmget, and so needs to be allowed for
shared memory access for 32 bit binaries.

Fixes #20733

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-03-05 22:12:23 +00:00
Justin Cormack
39b799ac53 Add some uses of personality syscall to default seccomp filter
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.

See issue #20634

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-02-26 18:43:08 +01:00
Antonio Murdaca
11435b674b
add seccomp default profile fix tests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-19 13:32:54 -08:00
Jessica Frazelle
ad600239bc
generate seccomp profile convert type
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-19 13:32:54 -08:00
Aleksa Sarai
284d9d451e apparmor: use correct version for ptrace denial suppression
Ubuntu ships apparmor_parser 2.9 erroniously as "2.8.95". Fix the
incorrect version check for >=2.8, when in fact 2.8 deosn't support the
required feature.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:29 +11:00
Aleksa Sarai
4bf7a84c96 apparmor: fix version checks to work properly
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:07 +11:00
Jessica Frazelle
9bc771af9d
add validation for generating default secccomp profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-08 13:04:52 -08:00
Jessica Frazelle
d57816de02
add default seccomp profile as json
profile is created by go generate

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-08 08:19:21 -08:00
Jessica Frazelle
bed0bb7d01
move default seccomp profile into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:29 -08:00
Jessica Frazelle
35e50119fc
move default apparmor policy into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:27 -08:00