Skip to content

Commit

Permalink
seccomp: switch default to ENOSYS
Browse files Browse the repository at this point in the history 
add the currently blocked syscalls to a deny-list and switch the
default to ENOSYS.

Signed-off-by: Giuseppe Scrivano <[email protected]>
  • Loading branch information
@giuseppe
giuseppe committed May 24, 2021
1 parent 807226d commit 40d6e52
Show file tree
Hide file tree
Showing 2 changed files with 455 additions and 4 deletions.
220 changes: 217 additions & 3 deletions pkg/seccomp/default_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@ func arches() []Architecture {

// DefaultProfile defines the allowlist for the default seccomp profile.
func DefaultProfile() *Seccomp {
eperm := uint(unix.EPERM)
einval := uint(unix.EINVAL)
enosys := uint(unix.ENOSYS)

syscalls := []*Syscall{
{
Expand Down Expand Up @@ -392,6 +394,87 @@ func DefaultProfile() *Seccomp {
Action: ActAllow,
Args: []*Arg{},
},
{
Names: []string{
"add_key",
"bdflush",
"break",
"cachectl",
"clone3",
"ftime",
"futex_time64",
"get_kernel_syms",
"getpmsg",
"gtty",
"idle",
"io_pgetevents",
"io_pgetevents_time64",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"kexec_file_load",
"kexec_load",
"membarrier",
"migrate_pages",
"move_pages",
"mpx",
"mq_timedreceive_time64",
"mq_timedsend_time64",
"multiplexer",
"nfsservctl",
"nice",
"oldfstat",
"oldlstat",
"oldolduname",
"oldstat",
"olduname",
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"prof",
"profil",
"putpmsg",
"readdir",
"recvmmsg_time64",
"request_key",
"rseq",
"rtas",
"rt_sigtimedwait_time64",
"sched_rr_get_interval_time64",
"security",
"semtimedop_time64",
"sgetmask",
"spu_create",
"spu_run",
"ssetmask",
"stty",
"subpage_prot",
"swapcontext",
"swapoff",
"swapon",
"switch_endian",
"_sysctl",
"sys_debug_setcontext",
"sysfs",
"sysmips",
"timer_settime64",
"tuxcall",
"ulimit",
"uselib",
"userfaultfd",
"ustat",
"vm86",
"vm86old",
"vmsplice",
"vserver",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
},
{
Names: []string{"personality"},
Action: ActAllow,
Expand Down Expand Up @@ -514,6 +597,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_DAC_READ_SEARCH"},
},
},
{
Names: []string{
"open_by_handle_at",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_DAC_READ_SEARCH"},
},
},
{
Names: []string{
"bpf",
Expand All @@ -531,6 +625,24 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_ADMIN"},
},
},
{
Names: []string{
"bpf",
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_ADMIN"},
},
},
{
Names: []string{
"chroot",
Expand All @@ -541,6 +653,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_CHROOT"},
},
},
{
Names: []string{
"chroot",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_CHROOT"},
},
},
{
Names: []string{
"delete_module",
Expand All @@ -554,6 +677,20 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_MODULE"},
},
},
{
Names: []string{
"delete_module",
"init_module",
"finit_module",
"query_module",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_MODULE"},
},
},
{
Names: []string{
"get_mempolicy",
Expand All @@ -566,6 +703,19 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"acct",
Expand All @@ -576,6 +726,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_PACCT"},
},
},
{
Names: []string{
"acct",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_PACCT"},
},
},
{
Names: []string{
"kcmp",
Expand All @@ -590,6 +751,21 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_PTRACE"},
},
},
{
Names: []string{
"kcmp",
"process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_PTRACE"},
},
},
{
Names: []string{
"iopl",
Expand All @@ -601,6 +777,18 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_RAWIO"},
},
},
{
Names: []string{
"iopl",
"ioperm",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_RAWIO"},
},
},
{
Names: []string{
"settimeofday",
Expand All @@ -614,6 +802,20 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_TIME"},
},
},
{
Names: []string{
"settimeofday",
"stime",
"clock_settime",
"clock_settime64",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_TIME"},
},
},
{
Names: []string{
"vhangup",
Expand All @@ -624,6 +826,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
},
{
Names: []string{
"vhangup",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
},
{
Names: []string{
"socket",
Expand Down Expand Up @@ -706,8 +919,9 @@ func DefaultProfile() *Seccomp {
}

return &Seccomp{
DefaultAction: ActErrno,
ArchMap: arches(),
Syscalls: syscalls,
DefaultAction: ActErrno,
DefaultErrnoRet: &enosys,
ArchMap: arches(),
Syscalls: syscalls,
}
}
Loading

0 comments on commit 40d6e52

Please sign in to comment.