Jelajahi Sumber

Merge pull request #44562 from thaJeztah/seccomp_block_af_vsock

seccomp: block socket calls to AF_VSOCK in default profile
Sebastiaan van Stijn 2 tahun lalu
induk
melakukan
40408d1640
2 mengubah file dengan 26 tambahan dan 2 penghapusan
  1. 13 1
      profiles/seccomp/default.json
  2. 13 1
      profiles/seccomp/default_linux.go

+ 13 - 1
profiles/seccomp/default.json

@@ -356,7 +356,6 @@
 				"signalfd4",
 				"sigprocmask",
 				"sigreturn",
-				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -420,6 +419,19 @@
 				"minKernel": "4.8"
 			}
 		},
+		{
+			"names": [
+				"socket"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 40,
+					"op": "SCMP_CMP_NE"
+				}
+			]
+		},
 		{
 			"names": [
 				"personality"

+ 13 - 1
profiles/seccomp/default_linux.go

@@ -348,7 +348,6 @@ func DefaultProfile() *Seccomp {
 					"signalfd4",
 					"sigprocmask",
 					"sigreturn",
-					"socket",
 					"socketcall",
 					"socketpair",
 					"splice",
@@ -415,6 +414,19 @@ func DefaultProfile() *Seccomp {
 				MinKernel: &KernelVersion{4, 8},
 			},
 		},
+		{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names:  []string{"socket"},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index: 0,
+						Value: unix.AF_VSOCK,
+						Op:    specs.OpNotEqual,
+					},
+				},
+			},
+		},
 		{
 			LinuxSyscall: specs.LinuxSyscall{
 				Names:  []string{"personality"},