moby/contrib/syscall-test
Justin Cormack 7e3a596a63 Block obsolete socket families in the default seccomp profile
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues

This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW

All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.

Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-01-17 17:50:44 +00:00
..
acct.c add more seccomp profile tests 2015-12-30 17:30:44 -08:00
appletalk.c Block obsolete socket families in the default seccomp profile 2017-01-17 17:50:44 +00:00
Dockerfile Block obsolete socket families in the default seccomp profile 2017-01-17 17:50:44 +00:00
exit32.s Add a test that the default seccomp profile allows execution of 32 bit binaries 2016-07-27 18:42:34 +01:00
ns.c fix typos 2016-07-23 11:32:23 +08:00
raw.c Use runc version built without ambient capabilities 2016-11-04 17:25:28 +00:00
setgid.c Use runc version built without ambient capabilities 2016-11-04 17:25:28 +00:00
setuid.c Use runc version built without ambient capabilities 2016-11-04 17:25:28 +00:00
socket.c Use runc version built without ambient capabilities 2016-11-04 17:25:28 +00:00
userns.c fix typos 2016-07-23 11:32:23 +08:00