From 78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 12:14:26 +0200 Subject: [PATCH 1/6] seccomp: allow clone3 Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 2 +- pkg/seccomp/seccomp.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index edb1294d6..7e9dd0cd8 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -51,7 +51,6 @@ func DefaultProfile() *Seccomp { { Names: []string{ "bdflush", - "clone3", "io_pgetevents", "io_uring_enter", "io_uring_register", @@ -118,6 +117,7 @@ func DefaultProfile() *Seccomp { "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index 885240e50..f377136b2 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -54,7 +54,6 @@ { "names": [ "bdflush", - "clone3", "io_pgetevents", "io_uring_enter", "io_uring_register", @@ -124,6 +123,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", From 399bd59e0d0d3e3845d59a7fe197d08371b061b0 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 12:15:02 +0200 Subject: [PATCH 2/6] seccomp: let io_uring_* fail with ENOSYS Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 3 --- pkg/seccomp/seccomp.json | 3 --- 2 files changed, 6 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index 7e9dd0cd8..fce834c58 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -52,9 +52,6 @@ func DefaultProfile() *Seccomp { Names: []string{ "bdflush", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", "membarrier", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index f377136b2..7f55ee03f 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -55,9 +55,6 @@ "names": [ "bdflush", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", "membarrier", From 4d1476ba87c2d73c7e83d56cabbd9181e34c589f Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 12:16:41 +0200 Subject: [PATCH 3/6] seccomp: allow pkey_* Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 6 +++--- pkg/seccomp/seccomp.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index fce834c58..2b6beab9b 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -67,9 +67,6 @@ func DefaultProfile() *Seccomp { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", "rseq", "sgetmask", "ssetmask", @@ -283,6 +280,9 @@ func DefaultProfile() *Seccomp { "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index 7f55ee03f..b5cad7f73 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -70,9 +70,6 @@ "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", "rseq", "sgetmask", "ssetmask", @@ -289,6 +286,9 @@ "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", From 08bbb0dfae71da36afd3be1ca104701e6cfa4406 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 12:17:23 +0200 Subject: [PATCH 4/6] seccomp: allow rseq Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 2 +- pkg/seccomp/seccomp.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index 2b6beab9b..31a214566 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -67,7 +67,6 @@ func DefaultProfile() *Seccomp { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -315,6 +314,7 @@ func DefaultProfile() *Seccomp { "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index b5cad7f73..00f524b32 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -70,7 +70,6 @@ "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -321,6 +320,7 @@ "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", From 0f242ca74bd16175bc55013ed457c88137bec0cf Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 12:18:01 +0200 Subject: [PATCH 5/6] seccomp: let membarrier fail with ENOSYS Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 1 - pkg/seccomp/seccomp.json | 1 - 2 files changed, 2 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index 31a214566..dff9cae8d 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -54,7 +54,6 @@ func DefaultProfile() *Seccomp { "io_pgetevents", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index 00f524b32..e23263464 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -57,7 +57,6 @@ "io_pgetevents", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", From 689e5b074454da5228bb05604f89b7a876baa8fe Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 16 Jun 2021 13:17:26 +0200 Subject: [PATCH 6/6] seccomp: always allow get_mempolicy, set_mempolicy, mbind Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 28 +++------------------------- pkg/seccomp/seccomp.json | 36 +++--------------------------------- 2 files changed, 6 insertions(+), 58 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index dff9cae8d..725e0bfc7 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -183,6 +183,7 @@ func DefaultProfile() *Seccomp { "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -233,6 +234,7 @@ func DefaultProfile() *Seccomp { "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -350,6 +352,7 @@ func DefaultProfile() *Seccomp { "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -659,31 +662,6 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_MODULE"}, }, }, - { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActAllow, - Args: []*Arg{}, - Includes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, - { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActErrno, - ErrnoRet: &eperm, - Args: []*Arg{}, - Excludes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, { Names: []string{ "acct", diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index e23263464..eeb41d5d8 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -189,6 +189,7 @@ "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -239,6 +240,7 @@ "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -356,6 +358,7 @@ "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -755,39 +758,6 @@ }, "errnoRet": 1 }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "excludes": {} - }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "errnoRet": 1 - }, { "names": [ "acct"