Do not restrict chown via seccomp, just let capabilities control access

In #22554 I aligned seccomp and capabilities, however the case of the chown calls and CAP_CHOWN was less clearcut, as these are simple calls that the capabilities will block if they are not allowed. They are needed when no new privileges is not set in order to allow docker to call chown before the container is started, so there was a workaround but this did not include all the chown syscalls, and Arm was failing on some seccomp tests because it was using a different syscall from just the fchown that was allowed in this case. It is simpler to just allow all the chown calls in the default seccomp profile and let the capabilities subsystem block them. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-25 12:49:30 -07:00 · 2016-05-25 12:49:30 -07:00 · 9ed6e39cdd
commit 9ed6e39cdd
parent 0fe4417a3b
2 changed files with 71 additions and 89 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -56,6 +56,16 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "chown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "chown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "clock_getres",
 			"action": "SCMP_ACT_ALLOW",
@ -211,6 +221,21 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "fchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchownat",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "fcntl",
 			"action": "SCMP_ACT_ALLOW",
@ -556,6 +581,16 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "lchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "lchown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "lgetxattr",
 			"action": "SCMP_ACT_ALLOW",
@ -1522,41 +1557,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "chown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "chown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchownat",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "lchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "lchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "chroot",
 			"action": "SCMP_ACT_ALLOW",
@ -1573,11 +1573,6 @@
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			]
-		},
-		{
-			"name": "fchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
 		}
 	]
 }
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@ -88,6 +88,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "chown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "chown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+
 		{
 			Name:   "clock_getres",
 			Action: types.ActAllow,
@ -243,6 +254,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "fchown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "fchown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "fchownat",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "fcntl",
 			Action: types.ActAllow,
@ -588,6 +614,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "lchown",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "lchown32",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "lgetxattr",
 			Action: types.ActAllow,
@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 	var cap string
 	for _, cap = range rs.Process.Capabilities {
 		switch cap {
-		case "CAP_CHOWN":
-			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "chown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "chown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "fchownat",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "lchown",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "lchown32",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-			}...)
 		case "CAP_DAC_READ_SEARCH":
 			syscalls = append(syscalls, []*types.Syscall{
 				{
@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 		}...)
 	}

-	// We need some additional syscalls in this case see #22252
-	if !rs.Process.NoNewPrivileges {
-		syscalls = append(syscalls, []*types.Syscall{
-			{
-				Name:   "fchown",
-				Action: types.ActAllow,
-				Args:   []*types.Arg{},
-			},
-		}...)
-	}
-
 	return &types.Seccomp{
 		DefaultAction: types.ActErrno,
 		Architectures: arches(),