Browse code
Revert "Block obsolete socket families in the default seccomp profile"
This reverts commit 7e3a596a63fd8d0ab958132901b6ded81f8b44c0.
Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387
that the `socketcall` syscall takes a pointer to a struct so it is not possible to
use seccomp profiles to filter it. This means these cannot be blocked as you can
use `socketcall` to call them regardless, as we currently allow 32 bit syscalls.
Users who wish to block these should use a seccomp profile that blocks all
32 bit syscalls and then just block the non socketcall versions.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2017/05/09 22:21:19Showing 6 changed files
- contrib/syscall-test/Dockerfile
- contrib/syscall-test/appletalk.c
- integration-cli/docker_cli_run_unix_test.go
- integration-cli/fixtures_linux_daemon_test.go
- profiles/seccomp/default.json
- profiles/seccomp/seccomp_default.go
| ... | ... |
@@ -10,7 +10,6 @@ RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \ |
| 10 | 10 |
&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \ |
| 11 | 11 |
&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \ |
| 12 | 12 |
&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \ |
| 13 |
- && gcc -g -Wall -static raw.c -o /usr/bin/raw-test \ |
|
| 14 |
- && gcc -g -Wall -static appletalk.c -o /usr/bin/appletalk-test |
|
| 13 |
+ && gcc -g -Wall -static raw.c -o /usr/bin/raw-test |
|
| 15 | 14 |
|
| 16 | 15 |
RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true |
| 17 | 16 |
deleted file mode 100644 |
| ... | ... |
@@ -1,12 +0,0 @@ |
| 1 |
-#include <stdio.h> |
|
| 2 |
-#include <sys/socket.h> |
|
| 3 |
- |
|
| 4 |
-int main() {
|
|
| 5 |
- |
|
| 6 |
- if (socket(AF_APPLETALK, SOCK_DGRAM, 0) != -1) {
|
|
| 7 |
- fprintf(stderr, "Opening Appletalk socket worked, should be blocked\n"); |
|
| 8 |
- return 1; |
|
| 9 |
- } |
|
| 10 |
- |
|
| 11 |
- return 0; |
|
| 12 |
-} |
| ... | ... |
@@ -1015,18 +1015,6 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
|
| 1015 | 1015 |
}) |
| 1016 | 1016 |
} |
| 1017 | 1017 |
|
| 1018 |
-// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile |
|
| 1019 |
-func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
|
|
| 1020 |
- testRequires(c, SameHostDaemon, seccompEnabled) |
|
| 1021 |
- ensureSyscallTest(c) |
|
| 1022 |
- |
|
| 1023 |
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test") |
|
| 1024 |
- _, _, err := runCommandWithOutput(runCmd) |
|
| 1025 |
- if err != nil {
|
|
| 1026 |
- c.Fatal("expected opening appletalk socket family to fail")
|
|
| 1027 |
- } |
|
| 1028 |
-} |
|
| 1029 |
- |
|
| 1030 | 1018 |
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test' |
| 1031 | 1019 |
// with a the default seccomp profile exits with operation not permitted. |
| 1032 | 1020 |
func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
|
| ... | ... |
@@ -60,7 +60,7 @@ func ensureSyscallTest(c *check.C) {
|
| 60 | 60 |
gcc, err := exec.LookPath("gcc")
|
| 61 | 61 |
c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
|
| 62 | 62 |
|
| 63 |
- tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw", "appletalk"}
|
|
| 63 |
+ tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
|
|
| 64 | 64 |
for _, test := range tests {
|
| 65 | 65 |
out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
|
| 66 | 66 |
c.Assert(err, checker.IsNil, check.Commentf(string(out))) |
| ... | ... |
@@ -314,6 +314,8 @@ |
| 314 | 314 |
"signalfd", |
| 315 | 315 |
"signalfd4", |
| 316 | 316 |
"sigreturn", |
| 317 |
+ "socket", |
|
| 318 |
+ "socketcall", |
|
| 317 | 319 |
"socketpair", |
| 318 | 320 |
"splice", |
| 319 | 321 |
"stat", |
| ... | ... |
@@ -451,223 +453,6 @@ |
| 451 | 451 |
}, |
| 452 | 452 |
{
|
| 453 | 453 |
"names": [ |
| 454 |
- "socket" |
|
| 455 |
- ], |
|
| 456 |
- "action": "SCMP_ACT_ALLOW", |
|
| 457 |
- "args": [ |
|
| 458 |
- {
|
|
| 459 |
- "index": 0, |
|
| 460 |
- "value": 1, |
|
| 461 |
- "valueTwo": 0, |
|
| 462 |
- "op": "SCMP_CMP_EQ" |
|
| 463 |
- } |
|
| 464 |
- ], |
|
| 465 |
- "comment": "", |
|
| 466 |
- "includes": {},
|
|
| 467 |
- "excludes": {}
|
|
| 468 |
- }, |
|
| 469 |
- {
|
|
| 470 |
- "names": [ |
|
| 471 |
- "socket" |
|
| 472 |
- ], |
|
| 473 |
- "action": "SCMP_ACT_ALLOW", |
|
| 474 |
- "args": [ |
|
| 475 |
- {
|
|
| 476 |
- "index": 0, |
|
| 477 |
- "value": 2, |
|
| 478 |
- "valueTwo": 0, |
|
| 479 |
- "op": "SCMP_CMP_EQ" |
|
| 480 |
- } |
|
| 481 |
- ], |
|
| 482 |
- "comment": "", |
|
| 483 |
- "includes": {},
|
|
| 484 |
- "excludes": {}
|
|
| 485 |
- }, |
|
| 486 |
- {
|
|
| 487 |
- "names": [ |
|
| 488 |
- "socket" |
|
| 489 |
- ], |
|
| 490 |
- "action": "SCMP_ACT_ALLOW", |
|
| 491 |
- "args": [ |
|
| 492 |
- {
|
|
| 493 |
- "index": 0, |
|
| 494 |
- "value": 10, |
|
| 495 |
- "valueTwo": 0, |
|
| 496 |
- "op": "SCMP_CMP_EQ" |
|
| 497 |
- } |
|
| 498 |
- ], |
|
| 499 |
- "comment": "", |
|
| 500 |
- "includes": {},
|
|
| 501 |
- "excludes": {}
|
|
| 502 |
- }, |
|
| 503 |
- {
|
|
| 504 |
- "names": [ |
|
| 505 |
- "socket" |
|
| 506 |
- ], |
|
| 507 |
- "action": "SCMP_ACT_ALLOW", |
|
| 508 |
- "args": [ |
|
| 509 |
- {
|
|
| 510 |
- "index": 0, |
|
| 511 |
- "value": 16, |
|
| 512 |
- "valueTwo": 0, |
|
| 513 |
- "op": "SCMP_CMP_EQ" |
|
| 514 |
- } |
|
| 515 |
- ], |
|
| 516 |
- "comment": "", |
|
| 517 |
- "includes": {},
|
|
| 518 |
- "excludes": {}
|
|
| 519 |
- }, |
|
| 520 |
- {
|
|
| 521 |
- "names": [ |
|
| 522 |
- "socket" |
|
| 523 |
- ], |
|
| 524 |
- "action": "SCMP_ACT_ALLOW", |
|
| 525 |
- "args": [ |
|
| 526 |
- {
|
|
| 527 |
- "index": 0, |
|
| 528 |
- "value": 17, |
|
| 529 |
- "valueTwo": 0, |
|
| 530 |
- "op": "SCMP_CMP_EQ" |
|
| 531 |
- } |
|
| 532 |
- ], |
|
| 533 |
- "comment": "", |
|
| 534 |
- "includes": {},
|
|
| 535 |
- "excludes": {}
|
|
| 536 |
- }, |
|
| 537 |
- {
|
|
| 538 |
- "names": [ |
|
| 539 |
- "socketcall" |
|
| 540 |
- ], |
|
| 541 |
- "action": "SCMP_ACT_ALLOW", |
|
| 542 |
- "args": [ |
|
| 543 |
- {
|
|
| 544 |
- "index": 0, |
|
| 545 |
- "value": 1, |
|
| 546 |
- "valueTwo": 0, |
|
| 547 |
- "op": "SCMP_CMP_GT" |
|
| 548 |
- } |
|
| 549 |
- ], |
|
| 550 |
- "comment": "", |
|
| 551 |
- "includes": {},
|
|
| 552 |
- "excludes": {}
|
|
| 553 |
- }, |
|
| 554 |
- {
|
|
| 555 |
- "names": [ |
|
| 556 |
- "socketcall" |
|
| 557 |
- ], |
|
| 558 |
- "action": "SCMP_ACT_ALLOW", |
|
| 559 |
- "args": [ |
|
| 560 |
- {
|
|
| 561 |
- "index": 0, |
|
| 562 |
- "value": 1, |
|
| 563 |
- "valueTwo": 0, |
|
| 564 |
- "op": "SCMP_CMP_EQ" |
|
| 565 |
- }, |
|
| 566 |
- {
|
|
| 567 |
- "index": 1, |
|
| 568 |
- "value": 1, |
|
| 569 |
- "valueTwo": 0, |
|
| 570 |
- "op": "SCMP_CMP_EQ" |
|
| 571 |
- } |
|
| 572 |
- ], |
|
| 573 |
- "comment": "", |
|
| 574 |
- "includes": {},
|
|
| 575 |
- "excludes": {}
|
|
| 576 |
- }, |
|
| 577 |
- {
|
|
| 578 |
- "names": [ |
|
| 579 |
- "socketcall" |
|
| 580 |
- ], |
|
| 581 |
- "action": "SCMP_ACT_ALLOW", |
|
| 582 |
- "args": [ |
|
| 583 |
- {
|
|
| 584 |
- "index": 0, |
|
| 585 |
- "value": 1, |
|
| 586 |
- "valueTwo": 0, |
|
| 587 |
- "op": "SCMP_CMP_EQ" |
|
| 588 |
- }, |
|
| 589 |
- {
|
|
| 590 |
- "index": 1, |
|
| 591 |
- "value": 2, |
|
| 592 |
- "valueTwo": 0, |
|
| 593 |
- "op": "SCMP_CMP_EQ" |
|
| 594 |
- } |
|
| 595 |
- ], |
|
| 596 |
- "comment": "", |
|
| 597 |
- "includes": {},
|
|
| 598 |
- "excludes": {}
|
|
| 599 |
- }, |
|
| 600 |
- {
|
|
| 601 |
- "names": [ |
|
| 602 |
- "socketcall" |
|
| 603 |
- ], |
|
| 604 |
- "action": "SCMP_ACT_ALLOW", |
|
| 605 |
- "args": [ |
|
| 606 |
- {
|
|
| 607 |
- "index": 0, |
|
| 608 |
- "value": 1, |
|
| 609 |
- "valueTwo": 0, |
|
| 610 |
- "op": "SCMP_CMP_EQ" |
|
| 611 |
- }, |
|
| 612 |
- {
|
|
| 613 |
- "index": 1, |
|
| 614 |
- "value": 10, |
|
| 615 |
- "valueTwo": 0, |
|
| 616 |
- "op": "SCMP_CMP_EQ" |
|
| 617 |
- } |
|
| 618 |
- ], |
|
| 619 |
- "comment": "", |
|
| 620 |
- "includes": {},
|
|
| 621 |
- "excludes": {}
|
|
| 622 |
- }, |
|
| 623 |
- {
|
|
| 624 |
- "names": [ |
|
| 625 |
- "socketcall" |
|
| 626 |
- ], |
|
| 627 |
- "action": "SCMP_ACT_ALLOW", |
|
| 628 |
- "args": [ |
|
| 629 |
- {
|
|
| 630 |
- "index": 0, |
|
| 631 |
- "value": 1, |
|
| 632 |
- "valueTwo": 0, |
|
| 633 |
- "op": "SCMP_CMP_EQ" |
|
| 634 |
- }, |
|
| 635 |
- {
|
|
| 636 |
- "index": 1, |
|
| 637 |
- "value": 16, |
|
| 638 |
- "valueTwo": 0, |
|
| 639 |
- "op": "SCMP_CMP_EQ" |
|
| 640 |
- } |
|
| 641 |
- ], |
|
| 642 |
- "comment": "", |
|
| 643 |
- "includes": {},
|
|
| 644 |
- "excludes": {}
|
|
| 645 |
- }, |
|
| 646 |
- {
|
|
| 647 |
- "names": [ |
|
| 648 |
- "socketcall" |
|
| 649 |
- ], |
|
| 650 |
- "action": "SCMP_ACT_ALLOW", |
|
| 651 |
- "args": [ |
|
| 652 |
- {
|
|
| 653 |
- "index": 0, |
|
| 654 |
- "value": 1, |
|
| 655 |
- "valueTwo": 0, |
|
| 656 |
- "op": "SCMP_CMP_EQ" |
|
| 657 |
- }, |
|
| 658 |
- {
|
|
| 659 |
- "index": 1, |
|
| 660 |
- "value": 17, |
|
| 661 |
- "valueTwo": 0, |
|
| 662 |
- "op": "SCMP_CMP_EQ" |
|
| 663 |
- } |
|
| 664 |
- ], |
|
| 665 |
- "comment": "", |
|
| 666 |
- "includes": {},
|
|
| 667 |
- "excludes": {}
|
|
| 668 |
- }, |
|
| 669 |
- {
|
|
| 670 |
- "names": [ |
|
| 671 | 454 |
"sync_file_range2" |
| 672 | 455 |
], |
| 673 | 456 |
"action": "SCMP_ACT_ALLOW", |
| ... | ... |
@@ -308,6 +308,8 @@ func DefaultProfile() *types.Seccomp {
|
| 308 | 308 |
"signalfd", |
| 309 | 309 |
"signalfd4", |
| 310 | 310 |
"sigreturn", |
| 311 |
+ "socket", |
|
| 312 |
+ "socketcall", |
|
| 311 | 313 |
"socketpair", |
| 312 | 314 |
"splice", |
| 313 | 315 |
"stat", |
| ... | ... |
@@ -411,153 +413,6 @@ func DefaultProfile() *types.Seccomp {
|
| 411 | 411 |
}, |
| 412 | 412 |
}, |
| 413 | 413 |
{
|
| 414 |
- Names: []string{"socket"},
|
|
| 415 |
- Action: types.ActAllow, |
|
| 416 |
- Args: []*types.Arg{
|
|
| 417 |
- {
|
|
| 418 |
- Index: 0, |
|
| 419 |
- Value: syscall.AF_UNIX, |
|
| 420 |
- Op: types.OpEqualTo, |
|
| 421 |
- }, |
|
| 422 |
- }, |
|
| 423 |
- }, |
|
| 424 |
- {
|
|
| 425 |
- Names: []string{"socket"},
|
|
| 426 |
- Action: types.ActAllow, |
|
| 427 |
- Args: []*types.Arg{
|
|
| 428 |
- {
|
|
| 429 |
- Index: 0, |
|
| 430 |
- Value: syscall.AF_INET, |
|
| 431 |
- Op: types.OpEqualTo, |
|
| 432 |
- }, |
|
| 433 |
- }, |
|
| 434 |
- }, |
|
| 435 |
- {
|
|
| 436 |
- Names: []string{"socket"},
|
|
| 437 |
- Action: types.ActAllow, |
|
| 438 |
- Args: []*types.Arg{
|
|
| 439 |
- {
|
|
| 440 |
- Index: 0, |
|
| 441 |
- Value: syscall.AF_INET6, |
|
| 442 |
- Op: types.OpEqualTo, |
|
| 443 |
- }, |
|
| 444 |
- }, |
|
| 445 |
- }, |
|
| 446 |
- {
|
|
| 447 |
- Names: []string{"socket"},
|
|
| 448 |
- Action: types.ActAllow, |
|
| 449 |
- Args: []*types.Arg{
|
|
| 450 |
- {
|
|
| 451 |
- Index: 0, |
|
| 452 |
- Value: syscall.AF_NETLINK, |
|
| 453 |
- Op: types.OpEqualTo, |
|
| 454 |
- }, |
|
| 455 |
- }, |
|
| 456 |
- }, |
|
| 457 |
- {
|
|
| 458 |
- Names: []string{"socket"},
|
|
| 459 |
- Action: types.ActAllow, |
|
| 460 |
- Args: []*types.Arg{
|
|
| 461 |
- {
|
|
| 462 |
- Index: 0, |
|
| 463 |
- Value: syscall.AF_PACKET, |
|
| 464 |
- Op: types.OpEqualTo, |
|
| 465 |
- }, |
|
| 466 |
- }, |
|
| 467 |
- }, |
|
| 468 |
- // socketcall(1, ...) is equivalent to socket(...) on some architectures eg i386 |
|
| 469 |
- {
|
|
| 470 |
- Names: []string{"socketcall"},
|
|
| 471 |
- Action: types.ActAllow, |
|
| 472 |
- Args: []*types.Arg{
|
|
| 473 |
- {
|
|
| 474 |
- Index: 0, |
|
| 475 |
- Value: 1, |
|
| 476 |
- Op: types.OpGreaterThan, |
|
| 477 |
- }, |
|
| 478 |
- }, |
|
| 479 |
- }, |
|
| 480 |
- {
|
|
| 481 |
- Names: []string{"socketcall"},
|
|
| 482 |
- Action: types.ActAllow, |
|
| 483 |
- Args: []*types.Arg{
|
|
| 484 |
- {
|
|
| 485 |
- Index: 0, |
|
| 486 |
- Value: 1, |
|
| 487 |
- Op: types.OpEqualTo, |
|
| 488 |
- }, |
|
| 489 |
- {
|
|
| 490 |
- Index: 1, |
|
| 491 |
- Value: syscall.AF_UNIX, |
|
| 492 |
- Op: types.OpEqualTo, |
|
| 493 |
- }, |
|
| 494 |
- }, |
|
| 495 |
- }, |
|
| 496 |
- {
|
|
| 497 |
- Names: []string{"socketcall"},
|
|
| 498 |
- Action: types.ActAllow, |
|
| 499 |
- Args: []*types.Arg{
|
|
| 500 |
- {
|
|
| 501 |
- Index: 0, |
|
| 502 |
- Value: 1, |
|
| 503 |
- Op: types.OpEqualTo, |
|
| 504 |
- }, |
|
| 505 |
- {
|
|
| 506 |
- Index: 1, |
|
| 507 |
- Value: syscall.AF_INET, |
|
| 508 |
- Op: types.OpEqualTo, |
|
| 509 |
- }, |
|
| 510 |
- }, |
|
| 511 |
- }, |
|
| 512 |
- {
|
|
| 513 |
- Names: []string{"socketcall"},
|
|
| 514 |
- Action: types.ActAllow, |
|
| 515 |
- Args: []*types.Arg{
|
|
| 516 |
- {
|
|
| 517 |
- Index: 0, |
|
| 518 |
- Value: 1, |
|
| 519 |
- Op: types.OpEqualTo, |
|
| 520 |
- }, |
|
| 521 |
- {
|
|
| 522 |
- Index: 1, |
|
| 523 |
- Value: syscall.AF_INET6, |
|
| 524 |
- Op: types.OpEqualTo, |
|
| 525 |
- }, |
|
| 526 |
- }, |
|
| 527 |
- }, |
|
| 528 |
- {
|
|
| 529 |
- Names: []string{"socketcall"},
|
|
| 530 |
- Action: types.ActAllow, |
|
| 531 |
- Args: []*types.Arg{
|
|
| 532 |
- {
|
|
| 533 |
- Index: 0, |
|
| 534 |
- Value: 1, |
|
| 535 |
- Op: types.OpEqualTo, |
|
| 536 |
- }, |
|
| 537 |
- {
|
|
| 538 |
- Index: 1, |
|
| 539 |
- Value: syscall.AF_NETLINK, |
|
| 540 |
- Op: types.OpEqualTo, |
|
| 541 |
- }, |
|
| 542 |
- }, |
|
| 543 |
- }, |
|
| 544 |
- {
|
|
| 545 |
- Names: []string{"socketcall"},
|
|
| 546 |
- Action: types.ActAllow, |
|
| 547 |
- Args: []*types.Arg{
|
|
| 548 |
- {
|
|
| 549 |
- Index: 0, |
|
| 550 |
- Value: 1, |
|
| 551 |
- Op: types.OpEqualTo, |
|
| 552 |
- }, |
|
| 553 |
- {
|
|
| 554 |
- Index: 1, |
|
| 555 |
- Value: syscall.AF_PACKET, |
|
| 556 |
- Op: types.OpEqualTo, |
|
| 557 |
- }, |
|
| 558 |
- }, |
|
| 559 |
- }, |
|
| 560 |
- {
|
|
| 561 | 414 |
Names: []string{
|
| 562 | 415 |
"sync_file_range2", |
| 563 | 416 |
}, |