moby/profiles/seccomp
Sebastiaan van Stijn 6875e7f1be
seccomp: block socket calls to AF_VSOCK in default profile
This syncs the seccomp-profile with the latest changes in containerd's
profile, applying the same changes as 17a9324035

Some background from the associated ticket:

> We want to use vsock for guest-host communication on KubeVirt
> (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.
>
> However since anyone can just connect from any pod to any VM with the
> default seccomp settings, we cannot limit connection attempts to our
> privileged node-agent.
>
> ### Describe the solution you'd like
> We want to deny the `socket` syscall for the `AF_VSOCK` family by default.
>
> I see in [1] and [2] that AF_VSOCK was actually already blocked for some
> time, but that got reverted since some architectures support the `socketcall`
> syscall which can't be restricted properly. However we are mostly interested
> in `arm64` and `amd64` where limiting `socket` would probably be enough.
>
> ### Additional context
> I know that in theory we could use our own seccomp profiles, but we would want
> to provide security for as many users as possible which use KubeVirt, and there
> it would be very helpful if this protection could be added by being part of the
> DefaultRuntime profile to easily ensure that it is active for all pods [3].
>
> Impact on existing workloads: It is unlikely that this will disturb any existing
> workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
> However if someone would still use it: Privileged pods would still be able to
> use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too.
> Further it was already blocked for quite some time and the blockade got lifted
> due to reasons not related to AF_VSOCK.
>
> The PR in KubeVirt which adds VSOCK support for additional context: [4]
>
> [1]: https://github.com/moby/moby/pull/29076#commitcomment-21831387
> [2]: dcf2632945
> [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
> [4]: https://github.com/kubevirt/kubevirt/pull/8546

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 57b229012a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-01 14:09:46 +01:00
..
fixtures seccomp: Use explicit DefaultErrnoRet 2021-07-30 19:13:21 +02:00
default.json seccomp: block socket calls to AF_VSOCK in default profile 2022-12-01 14:09:46 +01:00
default_linux.go seccomp: block socket calls to AF_VSOCK in default profile 2022-12-01 14:09:46 +01:00
generate.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
kernel_linux.go all: use unix.ByteSliceToString for utsname fields 2022-05-18 17:13:20 -07:00
kernel_linux_test.go seccomp: implement marshal/unmarshall for MinVersion 2020-10-07 17:48:25 +02:00
seccomp.go seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags 2021-07-17 15:57:54 +02:00
seccomp_linux.go seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags 2021-07-17 15:57:54 +02:00
seccomp_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00