diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index f86f3e2ba..091969762 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -43,7 +43,9 @@ func arches() []Architecture { // DefaultProfile defines the allowlist for the default seccomp profile. func DefaultProfile() *Seccomp { + eperm := uint(unix.EPERM) einval := uint(unix.EINVAL) + enosys := uint(unix.ENOSYS) syscalls := []*Syscall{ { @@ -392,6 +394,87 @@ func DefaultProfile() *Seccomp { Action: ActAllow, Args: []*Arg{}, }, + { + Names: []string{ + "add_key", + "bdflush", + "break", + "cachectl", + "clone3", + "ftime", + "futex_time64", + "get_kernel_syms", + "getpmsg", + "gtty", + "idle", + "io_pgetevents", + "io_pgetevents_time64", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "kexec_file_load", + "kexec_load", + "membarrier", + "migrate_pages", + "move_pages", + "mpx", + "mq_timedreceive_time64", + "mq_timedsend_time64", + "multiplexer", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "prof", + "profil", + "putpmsg", + "readdir", + "recvmmsg_time64", + "request_key", + "rseq", + "rtas", + "rt_sigtimedwait_time64", + "sched_rr_get_interval_time64", + "security", + "semtimedop_time64", + "sgetmask", + "spu_create", + "spu_run", + "ssetmask", + "stty", + "subpage_prot", + "swapcontext", + "swapoff", + "swapon", + "switch_endian", + "_sysctl", + "sys_debug_setcontext", + "sysfs", + "sysmips", + "timer_settime64", + "tuxcall", + "ulimit", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice", + "vserver", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + }, { Names: []string{"personality"}, Action: ActAllow, @@ -514,6 +597,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, + { + Names: []string{ + "open_by_handle_at", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_DAC_READ_SEARCH"}, + }, + }, { Names: []string{ "bpf", @@ -531,6 +625,24 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_ADMIN"}, }, }, + { + Names: []string{ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, { Names: []string{ "chroot", @@ -541,6 +653,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_CHROOT"}, }, }, + { + Names: []string{ + "chroot", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_CHROOT"}, + }, + }, { Names: []string{ "delete_module", @@ -554,6 +677,20 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_MODULE"}, }, }, + { + Names: []string{ + "delete_module", + "init_module", + "finit_module", + "query_module", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_MODULE"}, + }, + }, { Names: []string{ "get_mempolicy", @@ -566,6 +703,19 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_NICE"}, }, }, + { + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_NICE"}, + }, + }, { Names: []string{ "acct", @@ -576,6 +726,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_PACCT"}, }, }, + { + Names: []string{ + "acct", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_PACCT"}, + }, + }, { Names: []string{ "kcmp", @@ -590,6 +751,21 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_PTRACE"}, }, }, + { + Names: []string{ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_PTRACE"}, + }, + }, { Names: []string{ "iopl", @@ -601,6 +777,18 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_RAWIO"}, }, }, + { + Names: []string{ + "iopl", + "ioperm", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_RAWIO"}, + }, + }, { Names: []string{ "settimeofday", @@ -614,6 +802,20 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_TIME"}, }, }, + { + Names: []string{ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_TIME"}, + }, + }, { Names: []string{ "vhangup", @@ -624,6 +826,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, + { + Names: []string{ + "vhangup", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_TTY_CONFIG"}, + }, + }, { Names: []string{ "socket", @@ -706,8 +919,9 @@ func DefaultProfile() *Seccomp { } return &Seccomp{ - DefaultAction: ActErrno, - ArchMap: arches(), - Syscalls: syscalls, + DefaultAction: ActErrno, + DefaultErrnoRet: &enosys, + ArchMap: arches(), + Syscalls: syscalls, } } diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index 8d799fd02..0af63c48c 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", @@ -399,6 +400,86 @@ "includes": {}, "excludes": {} }, + { + "names": [ + "add_key", + "bdflush", + "break", + "cachectl", + "clone3", + "ftime", + "futex_time64", + "get_kernel_syms", + "getpmsg", + "gtty", + "idle", + "io_pgetevents", + "io_pgetevents_time64", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "kexec_file_load", + "kexec_load", + "membarrier", + "migrate_pages", + "move_pages", + "mpx", + "mq_timedreceive_time64", + "mq_timedsend_time64", + "multiplexer", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "prof", + "profil", + "putpmsg", + "readdir", + "recvmmsg_time64", + "request_key", + "rseq", + "rtas", + "rt_sigtimedwait_time64", + "sched_rr_get_interval_time64", + "security", + "semtimedop_time64", + "sgetmask", + "spu_create", + "spu_run", + "ssetmask", + "stty", + "subpage_prot", + "swapcontext", + "swapoff", + "swapon", + "switch_endian", + "_sysctl", + "sys_debug_setcontext", + "sysfs", + "sysmips", + "timer_settime64", + "tuxcall", + "ulimit", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice", + "vserver" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1 + }, { "names": [ "personality" @@ -580,6 +661,21 @@ }, "excludes": {} }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + } + }, { "names": [ "bpf", @@ -601,6 +697,28 @@ }, "excludes": {} }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, { "names": [ "chroot" @@ -632,6 +750,24 @@ }, "excludes": {} }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_MODULE" + ] + } + }, { "names": [ "get_mempolicy", @@ -648,6 +784,23 @@ }, "excludes": {} }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_NICE" + ] + } + }, { "names": [ "acct" @@ -662,6 +815,22 @@ }, "excludes": {} }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PACCT" + ] + } + }, { "names": [ "kcmp", @@ -680,6 +849,25 @@ }, "excludes": {} }, + { + "names": [ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + } + }, { "names": [ "iopl", @@ -695,6 +883,22 @@ }, "excludes": {} }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + } + }, { "names": [ "settimeofday", @@ -712,6 +916,24 @@ }, "excludes": {} }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TIME" + ] + } + }, { "names": [ "vhangup" @@ -726,6 +948,21 @@ }, "excludes": {} }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 1, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + } + }, { "names": [ "socket" @@ -832,4 +1069,4 @@ "excludes": {} } ] -} \ No newline at end of file +}