Commit graph

28 commits

Author SHA1 Message Date
Sebastiaan van Stijn
4adc40ac40
fix duplicate words (dupwords)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-07 10:57:03 +01:00
Sebastiaan van Stijn
0ef7e727d2
seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags
This patch, similar to d92739713c, embeds the
`LinuxSeccomp` type of the runtime-spec, so that we can support all options
provided by the spec, and decorates it with our own fields.

With this, profiles can make use of the recently added "Flags" field, to
specify flags that must be passed to seccomp(2) when installing the filter.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-17 15:57:54 +02:00
Sebastiaan van Stijn
b309e96b11
seccomp: improve GoDoc for Seccomp fields
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 18:01:12 +02:00
Rodrigo Campos
5d244675bd seccomp: Sync fields with runtime-spec fields
The runtime spec we are using has support for these 3 fields[1], but
moby doesn't have them in its seccomp struct. This patch just adds and
copies them when they are in the profile.

DefaultErrnoRet is implemented in the runc version moby is using (it is
implemented since runc-rc95[2]) but if we create a container without
this moby patch, we don't see an error nor the expected behavior. This
is not clear for the user (the profile they specify is valid, the syntax
is ok, but the wrong behavior is seen).

This is because the DefaultErrnoRet field is not copied to the config
passed ultimately to runc (i.e. is like the field was not specified).
With this patch, we see the expected behavior.

The other two fileds are in the runtime-spec but not yet in runc (a PR
is open and targets 1.1.0 milestone). However, I took the liberty to
copy them now too for two reasons:

1. If we don't add them now and end up using a runc version that
supports them, then the error that the user will see is not clear at
all:

	docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: listenerPath is not set: unknown.

And it is not obvious to debug for the user, as the field _is_ set in
the profile they specify (just not copied by moby to the profile moby
specifies ultimately to runc).

2. When using a runc without seccomp notify support (like today), the
error we see is the same with and without this moby patch (when using a
seccomp profile with the new fields):

	docker: Error response from daemon: OCI runtime create failed: string SCMP_ACT_NOTIFY is not a valid action for seccomp: unknown.

Then, it seems like a clear win to add them now: we don't have to do it
later (that implies not clear errors to the user if we forget, like we
did with DefaultErrnoRet) and the user sees the exact same error when
using a runc version that doesn't support these fields.

[1]: Note we are vendoring version 1c3f411f041711bbeecf35ff7e93461ea6789220 and this version has these 3 fields 1c3f411f04/config-linux.md (seccomp)
[2]: https://github.com/opencontainers/runc/pull/2954/
[3]: https://github.com/opencontainers/runc/pull/2682

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-08 17:11:53 +02:00
Sebastiaan van Stijn
c7cd1b9436
profiles/seccomp.Syscall: use pointers and omitempty
These fields are optional, and this makes the JSON representation
slightly less verbose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 21:25:09 +02:00
Sebastiaan van Stijn
d92739713c
seccomp.Syscall: embed runtime-spec Syscall type
This makes the type better reflect the difference with the "runtime" profile;
our local type is used to generate a runtime-spec seccomp profile and extends
the runtime-spec type with additional fields; adding a "Name" field for backward
compatibility with older JSON representations, additional "Comment" metadata,
and conditional rules ("Includes", "Excludes") used during generation to adjust
the profile based on the container (capabilities) and host's (architecture, kernel)
configuration.

This change introduces one change in the type; the "runtime-spec" type uses a
`[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers;
`[]*LinuxSeccompArg`.

In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing
the profile to specify the errno code returned for the syscall, which allows
changing the default EPERM for specific syscalls.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 21:25:06 +02:00
Sebastiaan van Stijn
4539e7f0eb
seccomp: implement marshal/unmarshall for MinVersion
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-07 17:48:25 +02:00
Sebastiaan van Stijn
97535c6c2b
seccomp: remove dependency on pkg/parsers/kernel
This removes the dependency on the `pkg/parsers/kernel` package, because secomp
only needs to consider Linux (and no parsing is needed for Windows or Darwin kernel
versions).

This patch implements the minimum requirements for this implementation:

- only `kernel` and `major` versions are considered
- `minor` version, `flavor`, and `-rcXX` suffixes are ignored

So, for example:

- `3.4.54.longterm-1` => `kernel: 3`, `major: 4`
- `3.8.0-19-generic` => `kernel: 3`, `major: 8`
- `3.10.0-862.2.3.el7.x86_64` => `kernel: 3`, `major: 10`

Some systems also omit the `minor` and/or have odd-formatted versions. In context
of generating seccomp profiles, both versions below are considered equal;

- `3.12.25-gentoo` => `kernel: 3`, `major: 12`
- `3.12-1-amd64` => `kernel: 3`, `major: 12`

Note that `-rcX` suffixes are also not considered, and thus (e.g.) kernel `5.9-rc1`,
`5.9-rc6` and `5.9` are all considered equal.

The motivation for ignoring "minor" versions and "flavors" is that;

- The upstream kernel only does "kernel.major" releases
- While release-candidates exists for kernel (e.g. 5.9-rc5), we don't expect users
  to write profiles that target a specific release-candidate, and therefore consider
  (e.g.) kernel `5.9-rc1`, `5.9-rc6` and `5.9` to be equal.
- Generally, a seccomp-profile should either be portable, or written for a specific
  infrastructure (in which case the writer of the profile would know if the kernel-flavors
  used does/does not support certain things.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-02 18:15:37 +02:00
Sebastiaan van Stijn
0d75b63987
seccomp: replace types with runtime-spec types
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 19:33:58 +02:00
Sebastiaan van Stijn
0efee50b95
seccomp: move seccomp types from api into seccomp profile
These types were not used in the API, so could not come up with
a reason why they were in that package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-18 18:14:16 +02:00
Brian Goff
ccbb00c815 Remove dependency in dockerd on libseccomp
This was just using libseccomp to get the right arch, but we can use
GOARCH to get this.
The nativeToSeccomp map needed to be adjusted a bit for mipsle vs mipsel
since that's go how refers to it. Also added some other arches to it.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-09-11 22:48:42 +00:00
Kir Kolyshkin
0d496e3d71 profiles/seccomp: improve profile conversion
When translating seccomp profile to opencontainers format, a single
group with multiple syscalls is converted to individual syscall rules.
I am not sure why it is done that way, but suspect it might have
performance implications as the number of rules grows.

Change this to pass a groups of syscalls as a group.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-06-18 17:58:51 -07:00
Tonis Tiigi
e76380b67b seccomp: review update
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-02-05 12:02:41 -08:00
Tonis Tiigi
1124543ca8 seccomp: allow ptrace for 4.8+ kernels
4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.

93e35efb8d

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-11-04 13:06:43 -08:00
Justin Cormack
15ff09395c
If container will run as non root user, drop permitted, effective caps early
As soon as the initial executable in the container is executed as a non root user,
permitted and effective capabilities are dropped. Drop them earlier than this, so
that they are dropped before executing the file. The main effect of this is that
if `CAP_DAC_OVERRIDE` is set (the default) the user will not be able to execute
files they do not have permission to execute, which previously they could.

The old behaviour was somewhat surprising and the new one is definitely correct,
but it is not in any meaningful way exploitable, and I do not think it is
necessary to backport this fix. It is unlikely to have any negative effects as
almost all executables have world execute permission anyway.

Use the bounding set not the effective set as the canonical set of capabilities, as
effective will now vary.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-03-19 14:45:27 -07:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Chao Wang
5c154cfac8 Copy Inslice() to those parts that use it
Signed-off-by: Chao Wang <wangchao.fnst@cn.fujitsu.com>
2017-11-10 13:42:38 +08:00
Michael Crosby
005506d36c Update moby to runc and oci 1.0 runtime final rc
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-05-05 13:45:45 -07:00
Antonio Murdaca
197f3ee687
profiles/seccomp: fix comment
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-25 11:40:54 +01:00
Michael Crosby
91e197d614 Add engine-api types to docker
This moves the types for the `engine-api` repo to the existing types
package.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-07 11:05:58 -07:00
Antonio Murdaca
5ff21add06
New seccomp format
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-01 11:53:07 +02:00
Michael Crosby
041e5a21dc Replace old oci specs import with runtime-specs
Fixes #25804

The upstream repo changed the import paths.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-08-17 09:38:34 -07:00
Justin Cormack
a01c4dc8f8 Align default seccomp profile with selected capabilities
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.

While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.

It also cleans up some architecture specific system calls to be
only selected when needed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-11 09:30:23 +01:00
Tonis Tiigi
99b16b3523 Reuse profiles/seccomp package
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-19 14:15:39 -07:00
allencloud
34b82a69b9 fix some typos.
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-03-10 10:09:27 +08:00
Jessica Frazelle
ad600239bc
generate seccomp profile convert type
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-19 13:32:54 -08:00
Jessica Frazelle
d57816de02
add default seccomp profile as json
profile is created by go generate

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-08 08:19:21 -08:00
Jessica Frazelle
bed0bb7d01
move default seccomp profile into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:29 -08:00
Renamed from daemon/execdriver/native/seccomp.go (Browse further)