We use cookies to ensure you get the best experience on our website
首页 发现 帮助
注册 登录
0ct0pu5
/
moby
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

Allow restart_syscall in default seccomp profile

Fixes #20818

This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack 9 年之前
父节点
9ad946eded
当前提交
5abd881883
共有 3 个文件被更改,包括 10 次插入1 次删除
分列视图 显示文件统计
  1. 0 1
      docs/security/seccomp.md
  2. 5 0
      profiles/seccomp/default.json
  3. 5 0
      profiles/seccomp/seccomp_default.go

+ 0 - 1
docs/security/seccomp.md
查看文件 

@@ -114,7 +114,6 @@ the reason each syscall is blocked rather than white-listed.
 
 | `query_module`      | Deny manipulation and functions on kernel modules.                                                            |
 
 | `quotactl`          | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. |
 
 | `reboot`            | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`.                                           |
 
-| `restart_syscall`   | Don't allow containers to restart a syscall. Possible seccomp bypass see: https://code.google.com/p/chromium/issues/detail?id=408827. |
 
 | `request_key`       | Prevent containers from using the kernel keyring, which is not namespaced.                                    |
 
 | `set_mempolicy`     | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                       |
 
 | `setns`             | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`.                                    |

+ 5 - 0
profiles/seccomp/default.json
查看文件 

@@ -999,6 +999,11 @@
 
 			"action": "SCMP_ACT_ALLOW",
 
 			"args": []
 
 		},
 
+		{
 
+			"name": "restart_syscall",
 
+			"action": "SCMP_ACT_ALLOW",
 
+			"args": []
 
+		},
 
 		{
 
 			"name": "rmdir",
 
 			"action": "SCMP_ACT_ALLOW",

+ 5 - 0
profiles/seccomp/seccomp_default.go
查看文件 

@@ -1028,6 +1028,11 @@ var DefaultProfile = &types.Seccomp{
 
 			Action: types.ActAllow,
 
 			Args:   []*types.Arg{},
 
 		},
 
+		{
 
+			Name:   "restart_syscall",
 
+			Action: types.ActAllow,
 
+			Args:   []*types.Arg{},
 
+		},
 
 		{
 
 			Name:   "rmdir",
 
 			Action: types.ActAllow,

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5