Browse code
Allow restart_syscall in default seccomp profile
Fixes #20818
This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/03/11 20:01:20Showing 3 changed files
| ... | ... |
@@ -114,7 +114,6 @@ the reason each syscall is blocked rather than white-listed. |
| 114 | 114 |
| `query_module` | Deny manipulation and functions on kernel modules. | |
| 115 | 115 |
| `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | |
| 116 | 116 |
| `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | |
| 117 |
-| `restart_syscall` | Don't allow containers to restart a syscall. Possible seccomp bypass see: https://code.google.com/p/chromium/issues/detail?id=408827. | |
|
| 118 | 117 |
| `request_key` | Prevent containers from using the kernel keyring, which is not namespaced. | |
| 119 | 118 |
| `set_mempolicy` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | |
| 120 | 119 |
| `setns` | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`. | |
| ... | ... |
@@ -1029,6 +1029,11 @@ var DefaultProfile = &types.Seccomp{
|
| 1029 | 1029 |
Args: []*types.Arg{},
|
| 1030 | 1030 |
}, |
| 1031 | 1031 |
{
|
| 1032 |
+ Name: "restart_syscall", |
|
| 1033 |
+ Action: types.ActAllow, |
|
| 1034 |
+ Args: []*types.Arg{},
|
|
| 1035 |
+ }, |
|
| 1036 |
+ {
|
|
| 1032 | 1037 |
Name: "rmdir", |
| 1033 | 1038 |
Action: types.ActAllow, |
| 1034 | 1039 |
Args: []*types.Arg{},
|