Skip to content

Commit

Permalink
Merge pull request #627 from giuseppe/fix-seccomp-profile
Browse files Browse the repository at this point in the history 
seccomp: tweak default profile (followup for #573)
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Jun 18, 2021
2 parents c034cf4 + 689e5b0 commit 5a0821b
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 76 deletions.
42 changes: 8 additions & 34 deletions pkg/seccomp/default_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,9 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"bdflush",
"clone3",
"io_pgetevents",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"kexec_file_load",
"kexec_load",
"membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
Expand All @@ -71,10 +66,6 @@ func DefaultProfile() *Seccomp {
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"rseq",
"sgetmask",
"ssetmask",
"swapcontext",
Expand Down Expand Up @@ -118,6 +109,7 @@ func DefaultProfile() *Seccomp {
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"clone3",
"close",
"close_range",
"connect",
Expand Down Expand Up @@ -191,6 +183,7 @@ func DefaultProfile() *Seccomp {
"getgroups",
"getgroups32",
"getitimer",
"get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
Expand Down Expand Up @@ -241,6 +234,7 @@ func DefaultProfile() *Seccomp {
"lstat",
"lstat64",
"madvise",
"mbind",
"memfd_create",
"mincore",
"mkdir",
Expand Down Expand Up @@ -286,6 +280,9 @@ func DefaultProfile() *Seccomp {
"pipe",
"pipe2",
"pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
Expand Down Expand Up @@ -318,6 +315,7 @@ func DefaultProfile() *Seccomp {
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
Expand Down Expand Up @@ -354,6 +352,7 @@ func DefaultProfile() *Seccomp {
"sendmsg",
"sendto",
"setns",
"set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
Expand Down Expand Up @@ -663,31 +662,6 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_MODULE"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: ActAllow,
Args: []*Arg{},
Includes: Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"acct",
Expand Down
50 changes: 8 additions & 42 deletions pkg/seccomp/seccomp.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,9 @@
{
"names": [
"bdflush",
"clone3",
"io_pgetevents",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"kexec_file_load",
"kexec_load",
"membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
Expand All @@ -74,10 +69,6 @@
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"rseq",
"sgetmask",
"ssetmask",
"swapcontext",
Expand Down Expand Up @@ -124,6 +115,7 @@
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"clone3",
"close",
"close_range",
"connect",
Expand Down Expand Up @@ -197,6 +189,7 @@
"getgroups",
"getgroups32",
"getitimer",
"get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
Expand Down Expand Up @@ -247,6 +240,7 @@
"lstat",
"lstat64",
"madvise",
"mbind",
"memfd_create",
"mincore",
"mkdir",
Expand Down Expand Up @@ -292,6 +286,9 @@
"pipe",
"pipe2",
"pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
Expand Down Expand Up @@ -324,6 +321,7 @@
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
Expand Down Expand Up @@ -360,6 +358,7 @@
"sendmsg",
"sendto",
"setns",
"set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
Expand Down Expand Up @@ -759,39 +758,6 @@
},
"errnoRet": 1
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_NICE"
]
},
"errnoRet": 1
},
{
"names": [
"acct"
Expand Down

0 comments on commit 5a0821b

Please sign in to comment.