Change seccomp blacklist to a whitelist #18979

jessfraz · 2015-12-29T22:23:49Z

Running various tests on official images, but opening the discussion. ping @justincormack

phemmer · 2015-12-29T23:06:47Z

I was wondering why we weren't using a whitelist instead. The whitelist makes more sense to me for one main reason: default action is secure (http://stackoverflow.com/a/504424/486035).
With a blacklist, even if we blacklisted every possible syscall that could be abused, new kernels can come out which introduce new syscalls, and if docker's blacklist is old, it won't protect them.

👍

jessfraz · 2015-12-29T23:13:29Z

does this mean you will compile seccomp into your binary now 0:)

cpuguy83 · 2015-12-30T03:29:33Z

SGTM

thaJeztah · 2015-12-30T12:39:31Z

Using a white list sounds like a better approach to me, so +1

Tentatively moving this to code review

justincormack · 2015-12-30T12:51:59Z

~~The clone rule needs fixing, will send patch.~~ Ah sorry this was done I missed the commit.

I am slightly inclined to add back in the comments from the blacklisted syscalls as documentation of the ones not in the whitelist, not sure what anyone thinks.

justincormack · 2015-12-30T14:57:53Z

Ok I have tested this extensively: tested that individual syscalls are being correctly filtered, used it as my default docker install and built stuff (eg docker/docker, Linux kernel compile), double checked the syscall list for 32 bits, arm, powerpc. So LGTM.

For reference easiest way to check individual syscalls being filtered is:

docker run -it --cap-add ALL justincormack/ljsyscall -e "print(require('syscall').acct('/tmp/t'))"
nil Operation not permitted
docker run -it --cap-add ALL justincormack/ljsyscall -e "print(require('syscall').clone('newuts,newpid'))"
nil Operation not permitted
docker run -it --cap-add ALL --security-opt seccomp:unconfined justincormack/ljsyscall -e "print(require('syscall').acct('/tmp/t'))"
nil No such file or directory
docker run -it --cap-add ALL --security-opt seccomp:unconfined justincormack/ljsyscall -e "print(require('syscall').clone())"
11
0

jessfraz · 2015-12-30T15:04:38Z

Thanks I can add those as integration tests :) and I'm working on all new docs with the old comments as well

On Dec 30, 2015, 06:59 -0800, Justin Cormacknotifications@github.com, wrote:

Ok I have tested this extensively: tested that individual syscalls are being correctly filtered, used it as my default docker install and built stuff (eg docker/docker, Linux kernel compile), double checked the syscall list for 32 bits, arm, powerpc. So LGTM.

For reference easiest way to check individual syscalls being filtered is:

docker run -it --cap-add ALL justincormack/ljsyscall -e "print(require('syscall').acct('/tmp/t'))" nil Operation not permitted docker run -it --cap-add ALL justincormack/ljsyscall -e "print(require('syscall').clone('newuts,newpid'))" nil Operation not permitted docker run -it --cap-add ALL --security-opt seccomp:unconfined justincormack/ljsyscall -e "print(require('syscall').acct('/tmp/t'))" nil No such file or directory docker run -it --cap-add ALL --security-opt seccomp:unconfined justincormack/ljsyscall -e "print(require('syscall').clone())" 11 0

—
Reply to this email directly orview it on GitHub(#18979 (comment)).

jessfraz · 2015-12-30T22:20:57Z

opened additional tests here: #19002 and docs will come soon in another PR

cpuguy83 · 2015-12-31T02:29:30Z

Looks like you have settimeofday in the whitelist, shouldn't that be blocked?

jessfraz · 2015-12-31T03:24:42Z

Good catch thanks

On Dec 30, 2015, 18:30 -0800, Brian Goffnotifications@github.com, wrote:

Looks like you havesettimeofdayin the whitelist, shouldn't that be blocked?

—
Reply to this email directly orview it on GitHub(#18979 (comment)).

cpuguy83 · 2016-01-04T18:34:59Z

LGTM

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

…ndle_at Being able to obtain a file handle is no use as we cannot perform any operation in it, and it may leak kernel state. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

sysfs and ustat syscalls are marked obsolete. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

This is the newer verion of lseek on many 32 bit platforms Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

This is used on some 32 bit architectures, eg x86 Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

justincormack · 2016-01-05T00:16:13Z

Looking good after more testing. ~~There is one issue that running compatible architectures is currently blocked (eg 32 bit x86 on x86_64). There is an easier fix or a nicer one, will look at it tomorrow, but need not stop merging.~~ Sent fix to @jfrazelle

calavera · 2016-01-05T17:20:48Z

sorry, wrong button 😄

calavera · 2016-01-05T17:22:11Z

That file looks quite long but whatever. LGTM

jessfraz · 2016-01-05T17:23:42Z

we could use go generate? I was thinking about that in the beginning

On Tue, Jan 5, 2016 at 9:22 AM, David Calavera notifications@github.com
wrote:

sorry, wrong button [image: 😄]

—
Reply to this email directly or view it on GitHub
#18979 (comment).

justincormack · 2016-01-05T17:24:30Z

Unfortunately Linux has too many syscalls, and it matches the libcontainer spec format, well the Go is a bit more readable. It is not ideal, but not sure there is much that can be done.

jessfraz · 2016-01-05T17:25:37Z

no i want it to be good :(

On Tue, Jan 5, 2016 at 9:23 AM, David Calavera notifications@github.com
wrote:

That file looks quite long but whatever. LGTM

—
Reply to this email directly or view it on GitHub
#18979 (comment).

In the default seccomp rule, allow use of 32 bit syscalls on 64 bit architectures, so you can run x86 Linux images on x86_64 without disabling seccomp or using a custom rule. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

This version is sometimes used eg by glibc on x86 Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

jessfraz · 2016-01-05T17:33:09Z

FWIW it will be easier to see the diff once its merged ;)

thaJeztah · 2016-01-05T18:18:28Z

will merging make all red Janky's go green? 😇

jessfraz · 2016-01-05T18:43:07Z

i think it was becausse llvm repo was screwed up

jessfraz · 2016-01-06T00:10:28Z

green \o/

Change seccomp blacklist to a whitelist

GordonTheTurtle added the status/0-triage label Dec 29, 2015

jessfraz added status/1-design-review area/security/seccomp and removed status/0-triage labels Dec 29, 2015

jessfraz force-pushed the make-whitelist branch 2 times, most recently from e4d6adf to 9356732 Compare December 29, 2015 22:53

jessfraz added this to the 1.10 milestone Dec 29, 2015

thaJeztah added status/2-code-review and removed status/1-design-review labels Dec 30, 2015

jessfraz force-pushed the make-whitelist branch from 9356732 to f473b64 Compare December 31, 2015 03:23

thaJeztah mentioned this pull request Jan 3, 2016

Update security docs for seccomp/apparmor #18452

Merged

GordonTheTurtle added the dco/no Automatically set by a bot when one of the commits lacks proper signature label Jan 4, 2016

jessfraz force-pushed the make-whitelist branch from f71602e to dcb0619 Compare January 4, 2016 17:10

GordonTheTurtle removed the dco/no Automatically set by a bot when one of the commits lacks proper signature label Jan 4, 2016

jessfraz force-pushed the make-whitelist branch from dcb0619 to 7632772 Compare January 4, 2016 18:35

jessfraz and others added 4 commits January 4, 2016 11:55

change seccomp blacklist to whitelist

17735c3

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

add 32bit syscalls to whitelist

a1747b3

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

Do not allow name_to_handle_at, as we have already blocked open_by_ha…

c1b57fc

…ndle_at Being able to obtain a file handle is no use as we cannot perform any operation in it, and it may leak kernel state. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

Do not allow obsolete syscalls

d6a9c5a

sysfs and ustat syscalls are marked obsolete. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

Add _llseek syscall

9236091

This is the newer verion of lseek on many 32 bit platforms Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

jessfraz force-pushed the make-whitelist branch from 7632772 to 9236091 Compare January 4, 2016 20:14

Allow sigreturn syscall

d8e06d5

This is used on some 32 bit architectures, eg x86 Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

calavera closed this Jan 5, 2016

calavera reopened this Jan 5, 2016

justincormack added 2 commits January 5, 2016 09:28

Allow the waitpid syscall

822c4f7

This version is sometimes used eg by glibc on x86 Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

calavera added a commit that referenced this pull request Jan 6, 2016

Merge pull request #18979 from jfrazelle/make-whitelist

4b1872f

Change seccomp blacklist to a whitelist

calavera merged commit 4b1872f into moby:master Jan 6, 2016

jessfraz deleted the make-whitelist branch January 6, 2016 18:07

Change seccomp blacklist to a whitelist #18979

Change seccomp blacklist to a whitelist #18979

Uh oh!

Conversation

jessfraz commented Dec 29, 2015

Uh oh!

phemmer commented Dec 29, 2015

Uh oh!

jessfraz commented Dec 29, 2015

Uh oh!

cpuguy83 commented Dec 30, 2015

Uh oh!

thaJeztah commented Dec 30, 2015

Uh oh!

justincormack commented Dec 30, 2015

Uh oh!

justincormack commented Dec 30, 2015

Uh oh!

jessfraz commented Dec 30, 2015

Uh oh!

jessfraz commented Dec 30, 2015

Uh oh!

cpuguy83 commented Dec 31, 2015

Uh oh!

jessfraz commented Dec 31, 2015

Uh oh!

cpuguy83 commented Jan 4, 2016

Uh oh!

justincormack commented Jan 5, 2016

Uh oh!

calavera commented Jan 5, 2016

Uh oh!

calavera commented Jan 5, 2016

Uh oh!

jessfraz commented Jan 5, 2016

Uh oh!

justincormack commented Jan 5, 2016

Uh oh!

jessfraz commented Jan 5, 2016

Uh oh!

jessfraz commented Jan 5, 2016

Uh oh!

thaJeztah commented Jan 5, 2016

Uh oh!

jessfraz commented Jan 5, 2016

Uh oh!

jessfraz commented Jan 6, 2016

Uh oh!

Uh oh!