Browse code
Add some uses of personality syscall to default seccomp filter
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.
See issue #20634
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/02/25 04:47:50Showing 2 changed files
| ... | ... |
@@ -834,6 +834,42 @@ |
| 834 | 834 |
"args": [] |
| 835 | 835 |
}, |
| 836 | 836 |
{
|
| 837 |
+ "name": "personality", |
|
| 838 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 839 |
+ "args": [ |
|
| 840 |
+ {
|
|
| 841 |
+ "index": 0, |
|
| 842 |
+ "value": 0, |
|
| 843 |
+ "valueTwo": 0, |
|
| 844 |
+ "op": "SCMP_CMP_EQ" |
|
| 845 |
+ } |
|
| 846 |
+ ] |
|
| 847 |
+ }, |
|
| 848 |
+ {
|
|
| 849 |
+ "name": "personality", |
|
| 850 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 851 |
+ "args": [ |
|
| 852 |
+ {
|
|
| 853 |
+ "index": 0, |
|
| 854 |
+ "value": 8, |
|
| 855 |
+ "valueTwo": 0, |
|
| 856 |
+ "op": "SCMP_CMP_EQ" |
|
| 857 |
+ } |
|
| 858 |
+ ] |
|
| 859 |
+ }, |
|
| 860 |
+ {
|
|
| 861 |
+ "name": "personality", |
|
| 862 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 863 |
+ "args": [ |
|
| 864 |
+ {
|
|
| 865 |
+ "index": 0, |
|
| 866 |
+ "value": 4294967295, |
|
| 867 |
+ "valueTwo": 0, |
|
| 868 |
+ "op": "SCMP_CMP_EQ" |
|
| 869 |
+ } |
|
| 870 |
+ ] |
|
| 871 |
+ }, |
|
| 872 |
+ {
|
|
| 837 | 873 |
"name": "pipe", |
| 838 | 874 |
"action": "SCMP_ACT_ALLOW", |
| 839 | 875 |
"args": [] |
| ... | ... |
@@ -866,6 +866,39 @@ var DefaultProfile = &types.Seccomp{
|
| 866 | 866 |
Args: []*types.Arg{},
|
| 867 | 867 |
}, |
| 868 | 868 |
{
|
| 869 |
+ Name: "personality", |
|
| 870 |
+ Action: types.ActAllow, |
|
| 871 |
+ Args: []*types.Arg{
|
|
| 872 |
+ {
|
|
| 873 |
+ Index: 0, |
|
| 874 |
+ Value: 0x0, |
|
| 875 |
+ Op: types.OpEqualTo, |
|
| 876 |
+ }, |
|
| 877 |
+ }, |
|
| 878 |
+ }, |
|
| 879 |
+ {
|
|
| 880 |
+ Name: "personality", |
|
| 881 |
+ Action: types.ActAllow, |
|
| 882 |
+ Args: []*types.Arg{
|
|
| 883 |
+ {
|
|
| 884 |
+ Index: 0, |
|
| 885 |
+ Value: 0x0008, |
|
| 886 |
+ Op: types.OpEqualTo, |
|
| 887 |
+ }, |
|
| 888 |
+ }, |
|
| 889 |
+ }, |
|
| 890 |
+ {
|
|
| 891 |
+ Name: "personality", |
|
| 892 |
+ Action: types.ActAllow, |
|
| 893 |
+ Args: []*types.Arg{
|
|
| 894 |
+ {
|
|
| 895 |
+ Index: 0, |
|
| 896 |
+ Value: 0xffffffff, |
|
| 897 |
+ Op: types.OpEqualTo, |
|
| 898 |
+ }, |
|
| 899 |
+ }, |
|
| 900 |
+ }, |
|
| 901 |
+ {
|
|
| 869 | 902 |
Name: "pipe", |
| 870 | 903 |
Action: types.ActAllow, |
| 871 | 904 |
Args: []*types.Arg{},
|