Browse code
Do not restrict chown via seccomp, just let capabilities control access
In #22554 I aligned seccomp and capabilities, however the case of
the chown calls and CAP_CHOWN was less clearcut, as these are
simple calls that the capabilities will block if they are not
allowed. They are needed when no new privileges is not set in
order to allow docker to call chown before the container is
started, so there was a workaround but this did not include
all the chown syscalls, and Arm was failing on some seccomp
tests because it was using a different syscall from just the
fchown that was allowed in this case. It is simpler to just
allow all the chown calls in the default seccomp profile and
let the capabilities subsystem block them.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/05/26 04:49:30Showing 2 changed files
| ... | ... |
@@ -57,6 +57,16 @@ |
| 57 | 57 |
"args": [] |
| 58 | 58 |
}, |
| 59 | 59 |
{
|
| 60 |
+ "name": "chown", |
|
| 61 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 62 |
+ "args": [] |
|
| 63 |
+ }, |
|
| 64 |
+ {
|
|
| 65 |
+ "name": "chown32", |
|
| 66 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 67 |
+ "args": [] |
|
| 68 |
+ }, |
|
| 69 |
+ {
|
|
| 60 | 70 |
"name": "clock_getres", |
| 61 | 71 |
"action": "SCMP_ACT_ALLOW", |
| 62 | 72 |
"args": [] |
| ... | ... |
@@ -212,6 +222,21 @@ |
| 212 | 212 |
"args": [] |
| 213 | 213 |
}, |
| 214 | 214 |
{
|
| 215 |
+ "name": "fchown", |
|
| 216 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 217 |
+ "args": [] |
|
| 218 |
+ }, |
|
| 219 |
+ {
|
|
| 220 |
+ "name": "fchown32", |
|
| 221 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 222 |
+ "args": [] |
|
| 223 |
+ }, |
|
| 224 |
+ {
|
|
| 225 |
+ "name": "fchownat", |
|
| 226 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 227 |
+ "args": [] |
|
| 228 |
+ }, |
|
| 229 |
+ {
|
|
| 215 | 230 |
"name": "fcntl", |
| 216 | 231 |
"action": "SCMP_ACT_ALLOW", |
| 217 | 232 |
"args": [] |
| ... | ... |
@@ -557,6 +582,16 @@ |
| 557 | 557 |
"args": [] |
| 558 | 558 |
}, |
| 559 | 559 |
{
|
| 560 |
+ "name": "lchown", |
|
| 561 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 562 |
+ "args": [] |
|
| 563 |
+ }, |
|
| 564 |
+ {
|
|
| 565 |
+ "name": "lchown32", |
|
| 566 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 567 |
+ "args": [] |
|
| 568 |
+ }, |
|
| 569 |
+ {
|
|
| 560 | 570 |
"name": "lgetxattr", |
| 561 | 571 |
"action": "SCMP_ACT_ALLOW", |
| 562 | 572 |
"args": [] |
| ... | ... |
@@ -1523,41 +1558,6 @@ |
| 1523 | 1523 |
"args": [] |
| 1524 | 1524 |
}, |
| 1525 | 1525 |
{
|
| 1526 |
- "name": "chown", |
|
| 1527 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1528 |
- "args": [] |
|
| 1529 |
- }, |
|
| 1530 |
- {
|
|
| 1531 |
- "name": "chown32", |
|
| 1532 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1533 |
- "args": [] |
|
| 1534 |
- }, |
|
| 1535 |
- {
|
|
| 1536 |
- "name": "fchown", |
|
| 1537 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1538 |
- "args": [] |
|
| 1539 |
- }, |
|
| 1540 |
- {
|
|
| 1541 |
- "name": "fchown32", |
|
| 1542 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1543 |
- "args": [] |
|
| 1544 |
- }, |
|
| 1545 |
- {
|
|
| 1546 |
- "name": "fchownat", |
|
| 1547 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1548 |
- "args": [] |
|
| 1549 |
- }, |
|
| 1550 |
- {
|
|
| 1551 |
- "name": "lchown", |
|
| 1552 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1553 |
- "args": [] |
|
| 1554 |
- }, |
|
| 1555 |
- {
|
|
| 1556 |
- "name": "lchown32", |
|
| 1557 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1558 |
- "args": [] |
|
| 1559 |
- }, |
|
| 1560 |
- {
|
|
| 1561 | 1526 |
"name": "chroot", |
| 1562 | 1527 |
"action": "SCMP_ACT_ALLOW", |
| 1563 | 1528 |
"args": [] |
| ... | ... |
@@ -1573,11 +1573,6 @@ |
| 1573 | 1573 |
"op": "SCMP_CMP_MASKED_EQ" |
| 1574 | 1574 |
} |
| 1575 | 1575 |
] |
| 1576 |
- }, |
|
| 1577 |
- {
|
|
| 1578 |
- "name": "fchown", |
|
| 1579 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1580 |
- "args": [] |
|
| 1581 | 1576 |
} |
| 1582 | 1577 |
] |
| 1583 | 1578 |
} |
| 1584 | 1579 |
\ No newline at end of file |
| ... | ... |
@@ -89,6 +89,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 89 | 89 |
Args: []*types.Arg{},
|
| 90 | 90 |
}, |
| 91 | 91 |
{
|
| 92 |
+ Name: "chown", |
|
| 93 |
+ Action: types.ActAllow, |
|
| 94 |
+ Args: []*types.Arg{},
|
|
| 95 |
+ }, |
|
| 96 |
+ {
|
|
| 97 |
+ Name: "chown32", |
|
| 98 |
+ Action: types.ActAllow, |
|
| 99 |
+ Args: []*types.Arg{},
|
|
| 100 |
+ }, |
|
| 101 |
+ |
|
| 102 |
+ {
|
|
| 92 | 103 |
Name: "clock_getres", |
| 93 | 104 |
Action: types.ActAllow, |
| 94 | 105 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -244,6 +255,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 244 | 244 |
Args: []*types.Arg{},
|
| 245 | 245 |
}, |
| 246 | 246 |
{
|
| 247 |
+ Name: "fchown", |
|
| 248 |
+ Action: types.ActAllow, |
|
| 249 |
+ Args: []*types.Arg{},
|
|
| 250 |
+ }, |
|
| 251 |
+ {
|
|
| 252 |
+ Name: "fchown32", |
|
| 253 |
+ Action: types.ActAllow, |
|
| 254 |
+ Args: []*types.Arg{},
|
|
| 255 |
+ }, |
|
| 256 |
+ {
|
|
| 257 |
+ Name: "fchownat", |
|
| 258 |
+ Action: types.ActAllow, |
|
| 259 |
+ Args: []*types.Arg{},
|
|
| 260 |
+ }, |
|
| 261 |
+ {
|
|
| 247 | 262 |
Name: "fcntl", |
| 248 | 263 |
Action: types.ActAllow, |
| 249 | 264 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -589,6 +615,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 589 | 589 |
Args: []*types.Arg{},
|
| 590 | 590 |
}, |
| 591 | 591 |
{
|
| 592 |
+ Name: "lchown", |
|
| 593 |
+ Action: types.ActAllow, |
|
| 594 |
+ Args: []*types.Arg{},
|
|
| 595 |
+ }, |
|
| 596 |
+ {
|
|
| 597 |
+ Name: "lchown32", |
|
| 598 |
+ Action: types.ActAllow, |
|
| 599 |
+ Args: []*types.Arg{},
|
|
| 600 |
+ }, |
|
| 601 |
+ {
|
|
| 592 | 602 |
Name: "lgetxattr", |
| 593 | 603 |
Action: types.ActAllow, |
| 594 | 604 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1591 | 1591 |
var cap string |
| 1592 | 1592 |
for _, cap = range rs.Process.Capabilities {
|
| 1593 | 1593 |
switch cap {
|
| 1594 |
- case "CAP_CHOWN": |
|
| 1595 |
- syscalls = append(syscalls, []*types.Syscall{
|
|
| 1596 |
- {
|
|
| 1597 |
- Name: "chown", |
|
| 1598 |
- Action: types.ActAllow, |
|
| 1599 |
- Args: []*types.Arg{},
|
|
| 1600 |
- }, |
|
| 1601 |
- {
|
|
| 1602 |
- Name: "chown32", |
|
| 1603 |
- Action: types.ActAllow, |
|
| 1604 |
- Args: []*types.Arg{},
|
|
| 1605 |
- }, |
|
| 1606 |
- {
|
|
| 1607 |
- Name: "fchown", |
|
| 1608 |
- Action: types.ActAllow, |
|
| 1609 |
- Args: []*types.Arg{},
|
|
| 1610 |
- }, |
|
| 1611 |
- {
|
|
| 1612 |
- Name: "fchown32", |
|
| 1613 |
- Action: types.ActAllow, |
|
| 1614 |
- Args: []*types.Arg{},
|
|
| 1615 |
- }, |
|
| 1616 |
- {
|
|
| 1617 |
- Name: "fchownat", |
|
| 1618 |
- Action: types.ActAllow, |
|
| 1619 |
- Args: []*types.Arg{},
|
|
| 1620 |
- }, |
|
| 1621 |
- {
|
|
| 1622 |
- Name: "lchown", |
|
| 1623 |
- Action: types.ActAllow, |
|
| 1624 |
- Args: []*types.Arg{},
|
|
| 1625 |
- }, |
|
| 1626 |
- {
|
|
| 1627 |
- Name: "lchown32", |
|
| 1628 |
- Action: types.ActAllow, |
|
| 1629 |
- Args: []*types.Arg{},
|
|
| 1630 |
- }, |
|
| 1631 |
- }...) |
|
| 1632 | 1594 |
case "CAP_DAC_READ_SEARCH": |
| 1633 | 1595 |
syscalls = append(syscalls, []*types.Syscall{
|
| 1634 | 1596 |
{
|
| ... | ... |
@@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1853 | 1853 |
}...) |
| 1854 | 1854 |
} |
| 1855 | 1855 |
|
| 1856 |
- // We need some additional syscalls in this case see #22252 |
|
| 1857 |
- if !rs.Process.NoNewPrivileges {
|
|
| 1858 |
- syscalls = append(syscalls, []*types.Syscall{
|
|
| 1859 |
- {
|
|
| 1860 |
- Name: "fchown", |
|
| 1861 |
- Action: types.ActAllow, |
|
| 1862 |
- Args: []*types.Arg{},
|
|
| 1863 |
- }, |
|
| 1864 |
- }...) |
|
| 1865 |
- } |
|
| 1866 |
- |
|
| 1867 | 1856 |
return &types.Seccomp{
|
| 1868 | 1857 |
DefaultAction: types.ActErrno, |
| 1869 | 1858 |
Architectures: arches(), |