seccomp: various updates #421
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cyphar
force-pushed
the
seccomp-update
branch
2 times, most recently
from
3e7e589 to
c5e5295
Compare
Several syscalls were enabled globally (SCMP_ACT_ALLOW without any conditions for all containers), but also had conditional rules later in the profile (likely inherited from Docker). The following syscalls do not need special casing because they were globally enabled: * clone, unshare, mount, umount, umount2 all had special CAP_SYS_ADMIN restrictions but those don't make sense since they were also enabled for all containers. * reboot was permitted for CAP_SYS_BOOT and all containers. * name_to_handle_at was permitted for CAP_SYS_ADMIN, CAP_SYS_NICE(?), and all containers. And certain syscalls had globally-enabled rules when they shouldn't have: * socket has special rules for CAP_AUDIT_WRITE but it also had a global "allow unconditionally" rule. It turns out that libseccomp will override unconditional rules with conditional ones but this is somewhat of an implementation detail and it's much safer to remove the rule and use the existing cases. Now the only syscalls remaining with complicated rules (meaning they appear more than once in the profile) are: * sync_file_range2 which is architecture specific (though in principle we could move it to enabled-without-rules because runc ignores unknown syscalls). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The generate.go script used to fill the default seccomp profile file is quite important as otherwise distributions will end up having outdated seccomp filters even after a podman update. This script comes from the Docker repo. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This mirrors the Docker and containerd changes, with the caveat that because mount(2) is permitted under podman for all containers we therefore add all of the v2 mount API syscalls as available to all containers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
force-pushed
the
seccomp-update
branch
from
c5e5295 to
5aaf1d5
Compare
Collaborator
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cyphar, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
Thanks @cyphar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Several syscalls were enabled globally (SCMP_ACT_ALLOW without any
conditions for all containers), but also had conditional rules later in
the profile (likely inherited from Docker). The following syscalls do
not need special casing because they were globally enabled:
restrictions but those don't make sense since they were also enabled
for all containers.
and all containers.
And certain syscalls had globally-enabled rules when they shouldn't
have:
socket has special rules for CAP_AUDIT_WRITE but it also had a global
"allow unconditionally" rule. This actually rendered the conditional
rules ineffective (because libseccomp ignores conditional rules if
there is already an unconditional rule).
This means that socket(AF_NETLINK, NETLINK_AUDIT) was not actually
blocked by seccomp, though luckily there are ordinary kernel checks
which block this from working.
Now the only syscalls remaining with complicated rules (meaning they
appear more than once in the profile) are:
we could move it to enabled-without-rules because runc ignores
unknown syscalls).
In addtion, update the syscall list to Linux 5.11. This mirrors the
Docker and containerd changes, with the caveat that because mount(2) is
permitted under podman for all containers we therefore add all of the v2
mount API syscalls as available to all containers.
Fixes #419
Signed-off-by: Aleksa Sarai cyphar@cyphar.com