Merge pull request #22991 from justincormack/seccompchown

Do not restrict chown via seccomp, just let capabilities control access

profiles/seccomp/default.json

@@ -56,6 +56,16 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "chown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "chown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "clock_getres",
 			"action": "SCMP_ACT_ALLOW",
@@ -211,6 +221,21 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "fchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchownat",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "fcntl",
 			"action": "SCMP_ACT_ALLOW",
@@ -556,6 +581,16 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "lchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "lchown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "lgetxattr",
 			"action": "SCMP_ACT_ALLOW",
@@ -1522,41 +1557,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "chown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "chown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchownat",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "lchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "lchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "chroot",
 			"action": "SCMP_ACT_ALLOW",
@@ -1573,11 +1573,6 @@
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			]
-		},
-		{
-			"name": "fchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
 		}
 	]
 }

profiles/seccomp/seccomp_default.go

@@ -88,6 +88,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "chown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "chown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+
 		{
 			Name:   "clock_getres",
 			Action: types.ActAllow,
@@ -243,6 +254,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "fchown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "fchown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "fchownat",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "fcntl",
 			Action: types.ActAllow,
@@ -588,6 +614,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "lchown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "lchown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "lgetxattr",
 			Action: types.ActAllow,
@@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 	var cap string
 	for _, cap = range rs.Process.Capabilities {
 		switch cap {
-		case "CAP_CHOWN":
-			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "chown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "chown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchownat",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "lchown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "lchown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-			}...)
 		case "CAP_DAC_READ_SEARCH":
 			syscalls = append(syscalls, []*types.Syscall{
 				{
@@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 		}...)
 	}
 
-	// We need some additional syscalls in this case see #22252
-	if !rs.Process.NoNewPrivileges {
-		syscalls = append(syscalls, []*types.Syscall{
-			{
-				Name:   "fchown",
-				Action: types.ActAllow,
-				Args:   []*types.Arg{},
-			},
-		}...)
-	}
-
 	return &types.Seccomp{
 		DefaultAction: types.ActErrno,
 		Architectures: arches(),