Revert "Block obsolete socket families in the default seccomp profile"

This reverts commit 7e3a596a63fd8d0ab958132901b6ded81f8b44c0.

Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387
that the `socketcall` syscall takes a pointer to a struct so it is not possible to
use seccomp profiles to filter it. This means these cannot be blocked as you can
use `socketcall` to call them regardless, as we currently allow 32 bit syscalls.

Users who wish to block these should use a seccomp profile that blocks all
32 bit syscalls and then just block the non socketcall versions.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

contrib/syscall-test/Dockerfile

@@ -10,7 +10,6 @@ RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \
 	&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \
 	&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \
 	&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \
-	&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test \
-	&& gcc -g -Wall -static appletalk.c -o /usr/bin/appletalk-test
+	&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test
 
 RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true

contrib/syscall-test/appletalk.c

@@ -1,12 +0,0 @@
-#include <stdio.h>
-#include <sys/socket.h>
-
-int main() {
-
-	if (socket(AF_APPLETALK, SOCK_DGRAM, 0) != -1) {
-		fprintf(stderr, "Opening Appletalk socket worked, should be blocked\n");
-		return 1;
-	}
-
-	return 0;
-}

integration-cli/docker_cli_run_unix_test.go

@@ -1015,18 +1015,6 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
 	})
 }
 
-// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile
-func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
-	testRequires(c, SameHostDaemon, seccompEnabled)
-	ensureSyscallTest(c)
-
-	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test")
-	_, _, err := runCommandWithOutput(runCmd)
-	if err != nil {
-		c.Fatal("expected opening appletalk socket family to fail")
-	}
-}
-
 // TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
 // with a the default seccomp profile exits with operation not permitted.
 func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {

integration-cli/fixtures_linux_daemon_test.go

@@ -60,7 +60,7 @@ func ensureSyscallTest(c *check.C) {
 	gcc, err := exec.LookPath("gcc")
 	c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
 
-	tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw", "appletalk"}
+	tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
 	for _, test := range tests {
 		out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
 		c.Assert(err, checker.IsNil, check.Commentf(string(out)))

profiles/seccomp/default.json

@@ -314,6 +314,8 @@
 				"signalfd",
 				"signalfd4",
 				"sigreturn",
+				"socket",
+				"socketcall",
 				"socketpair",
 				"splice",
 				"stat",
@@ -449,223 +451,6 @@
 			"includes": {},
 			"excludes": {}
 		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 2,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 10,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 16,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 17,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_GT"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				},
-				{
-					"index": 1,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				},
-				{
-					"index": 1,
-					"value": 2,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				},
-				{
-					"index": 1,
-					"value": 10,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				},
-				{
-					"index": 1,
-					"value": 16,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
-		{
-			"names": [
-				"socketcall"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 1,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				},
-				{
-					"index": 1,
-					"value": 17,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_EQ"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
 		{
 			"names": [
 				"sync_file_range2"

profiles/seccomp/seccomp_default.go

@@ -308,6 +308,8 @@ func DefaultProfile() *types.Seccomp {
 				"signalfd",
 				"signalfd4",
 				"sigreturn",
+				"socket",
+				"socketcall",
 				"socketpair",
 				"splice",
 				"stat",
@@ -410,153 +412,6 @@ func DefaultProfile() *types.Seccomp {
 				},
 			},
 		},
-		{
-			Names:  []string{"socket"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: syscall.AF_UNIX,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socket"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: syscall.AF_INET,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socket"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: syscall.AF_INET6,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socket"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: syscall.AF_NETLINK,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socket"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: syscall.AF_PACKET,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		// socketcall(1, ...) is equivalent to socket(...) on some architectures eg i386
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpGreaterThan,
-				},
-			},
-		},
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpEqualTo,
-				},
-				{
-					Index: 1,
-					Value: syscall.AF_UNIX,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpEqualTo,
-				},
-				{
-					Index: 1,
-					Value: syscall.AF_INET,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpEqualTo,
-				},
-				{
-					Index: 1,
-					Value: syscall.AF_INET6,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpEqualTo,
-				},
-				{
-					Index: 1,
-					Value: syscall.AF_NETLINK,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
-		{
-			Names:  []string{"socketcall"},
-			Action: types.ActAllow,
-			Args: []*types.Arg{
-				{
-					Index: 0,
-					Value: 1,
-					Op:    types.OpEqualTo,
-				},
-				{
-					Index: 1,
-					Value: syscall.AF_PACKET,
-					Op:    types.OpEqualTo,
-				},
-			},
-		},
 		{
 			Names: []string{
 				"sync_file_range2",