From a83cedddc6d3e0fe1df352ec54245090df641ab8 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 23 May 2016 15:19:19 -0700 Subject: [PATCH] Enable seccomp on ppc64le In order to do this, allow the socketcall syscall in the default seccomp profile. This is a multiplexing syscall for the socket operations, which is becoming obsolete gradually, but it is used in some architectures. libseccomp has special handling for it for x86 where it is common, so we did not need it in the profile, but does not have any handling for ppc64le. It turns out that the Debian images we use for tests do use the socketcall, while the newer images such as Ubuntu 16.04 do not. Enabling this does no harm as we allow all the socket operations anyway, and we allow the similar ipc call for similar reasons already. Signed-off-by: Justin Cormack --- Dockerfile.ppc64le | 2 +- profiles/seccomp/default.json | 5 +++++ profiles/seccomp/seccomp_default.go | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index ec015449976722618d3b31056fd54a4f3bae5339..f2f0c28e2a53aaa9df548dda3a5d627b325bf421 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -168,7 +168,7 @@ RUN useradd --create-home --gid docker unprivilegeduser VOLUME /var/lib/docker WORKDIR /go/src/github.com/docker/docker -ENV DOCKER_BUILDTAGS apparmor pkcs11 selinux +ENV DOCKER_BUILDTAGS apparmor pkcs11 seccomp selinux # Let us use a .bashrc file RUN ln -sfv $PWD/.bashrc ~/.bashrc diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 049195fe976085002f5aec89f746272bbe78c41e..212ff49942094de240ec3aeb55684f631f338617 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -1292,6 +1292,11 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "socketcall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "socketpair", "action": "SCMP_ACT_ALLOW", diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index 36aab3479a2cd326820aa73c5c5a19f4091985eb..a0884123517b9763cb45b056631eee7da1818839 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -1321,6 +1321,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "socketcall", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, { Name: "socketpair", Action: types.ActAllow,