Commit graph

8 commits

Author SHA1 Message Date
Justin Cormack
dcf2632945 Revert "Block obsolete socket families in the default seccomp profile"
This reverts commit 7e3a596a63.

Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387
that the `socketcall` syscall takes a pointer to a struct so it is not possible to
use seccomp profiles to filter it. This means these cannot be blocked as you can
use `socketcall` to call them regardless, as we currently allow 32 bit syscalls.

Users who wish to block these should use a seccomp profile that blocks all
32 bit syscalls and then just block the non socketcall versions.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-05-09 14:26:00 +01:00
Aaron.L.Xu
e0577d5fe8 fix some typos from module contrib to man
Signed-off-by: Aaron.L.Xu <likexu@harmonycloud.cn>
2017-02-18 10:08:55 +08:00
Justin Cormack
7e3a596a63 Block obsolete socket families in the default seccomp profile
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues

This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW

All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.

Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-01-17 17:50:44 +00:00
Justin Cormack
c5251f7116 Use runc version built without ambient capabilities
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.

Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.

Test for #27590

Update runc.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-11-04 17:25:28 +00:00
Justin Cormack
93bbc76ee5 Add a test that the default seccomp profile allows execution of 32 bit binaries
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.

This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.

There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-07-27 18:42:34 +01:00
allencloud
4e959ef2f7 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-07-23 11:32:23 +08:00
Tianon Gravi
9b2aab3fc8 Switch "syscall-test" image from "debian:jessie" to "buildpack-deps:jessie" so that "gcc" is already included
This results in a significant time savings during repeated builds (since we don't have to re-download gcc for every test run).

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2016-01-14 13:51:30 -08:00
Jessica Frazelle
327421d1df
add more seccomp profile tests
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-30 17:30:44 -08:00