seccomp: switch default to ENOSYS

add the currently blocked syscalls to a deny-list and switch the default to ENOSYS. Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Jun 4, 2021 · fcaaf65 · fcaaf65
1 parent 32e3ca7
commit fcaaf65
Show file tree

Hide file tree

Showing 2 changed files with 400 additions and 3 deletions.
diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go
@@ -44,8 +44,54 @@ func arches() []Architecture {
 // DefaultProfile defines the allowlist for the default seccomp profile.
 func DefaultProfile() *Seccomp {
 	einval := uint(unix.EINVAL)
+	enosys := uint(unix.ENOSYS)
+	eperm := uint(unix.EPERM)
 
 	syscalls := []*Syscall{
+		{
+			Names: []string{
+				"bdflush",
+				"clone3",
+				"io_pgetevents",
+				"io_uring_enter",
+				"io_uring_register",
+				"io_uring_setup",
+				"kexec_file_load",
+				"kexec_load",
+				"membarrier",
+				"migrate_pages",
+				"move_pages",
+				"nfsservctl",
+				"nice",
+				"oldfstat",
+				"oldlstat",
+				"oldolduname",
+				"oldstat",
+				"olduname",
+				"pciconfig_iobase",
+				"pciconfig_read",
+				"pciconfig_write",
+				"pkey_alloc",
+				"pkey_free",
+				"pkey_mprotect",
+				"rseq",
+				"sgetmask",
+				"ssetmask",
+				"swapcontext",
+				"swapoff",
+				"swapon",
+				"sysfs",
+				"uselib",
+				"userfaultfd",
+				"ustat",
+				"vm86",
+				"vm86old",
+				"vmsplice",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+		},
 		{
 			Names: []string{
 				"_llseek",
@@ -255,6 +301,7 @@ func DefaultProfile() *Seccomp {
 				"pwritev2",
 				"read",
 				"readahead",
+				"readdir",
 				"readlink",
 				"readlinkat",
 				"readv",
@@ -521,6 +568,17 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_DAC_READ_SEARCH"},
 			},
 		},
+		{
+			Names: []string{
+				"open_by_handle_at",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_DAC_READ_SEARCH"},
+			},
+		},
 		{
 			Names: []string{
 				"bpf",
@@ -538,6 +596,24 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
+		{
+			Names: []string{
+				"bpf",
+				"fanotify_init",
+				"lookup_dcookie",
+				"perf_event_open",
+				"quotactl",
+				"setdomainname",
+				"sethostname",
+				"setns",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_ADMIN"},
+			},
+		},
 		{
 			Names: []string{
 				"chroot",
@@ -548,6 +624,17 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_CHROOT"},
 			},
 		},
+		{
+			Names: []string{
+				"chroot",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_CHROOT"},
+			},
+		},
 		{
 			Names: []string{
 				"delete_module",
@@ -561,6 +648,20 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_MODULE"},
 			},
 		},
+		{
+			Names: []string{
+				"delete_module",
+				"init_module",
+				"finit_module",
+				"query_module",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_MODULE"},
+			},
+		},
 		{
 			Names: []string{
 				"get_mempolicy",
@@ -573,6 +674,19 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
+		{
+			Names: []string{
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_NICE"},
+			},
+		},
 		{
 			Names: []string{
 				"acct",
@@ -583,6 +697,17 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_PACCT"},
 			},
 		},
+		{
+			Names: []string{
+				"acct",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_PACCT"},
+			},
+		},
 		{
 			Names: []string{
 				"kcmp",
@@ -597,6 +722,21 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_PTRACE"},
 			},
 		},
+		{
+			Names: []string{
+				"kcmp",
+				"process_madvise",
+				"process_vm_readv",
+				"process_vm_writev",
+				"ptrace",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_PTRACE"},
+			},
+		},
 		{
 			Names: []string{
 				"iopl",
@@ -608,6 +748,18 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_RAWIO"},
 			},
 		},
+		{
+			Names: []string{
+				"iopl",
+				"ioperm",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_RAWIO"},
+			},
+		},
 		{
 			Names: []string{
 				"settimeofday",
@@ -621,6 +773,20 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_TIME"},
 			},
 		},
+		{
+			Names: []string{
+				"settimeofday",
+				"stime",
+				"clock_settime",
+				"clock_settime64",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_TIME"},
+			},
+		},
 		{
 			Names: []string{
 				"vhangup",
@@ -631,6 +797,17 @@ func DefaultProfile() *Seccomp {
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
+		{
+			Names: []string{
+				"vhangup",
+			},
+			Action:   ActErrno,
+			ErrnoRet: &eperm,
+			Args:     []*Arg{},
+			Excludes: Filter{
+				Caps: []string{"CAP_SYS_TTY_CONFIG"},
+			},
+		},
 		{
 			Names: []string{
 				"socket",
@@ -713,8 +890,9 @@ func DefaultProfile() *Seccomp {
 	}
 
 	return &Seccomp{
-		DefaultAction: ActErrno,
-		ArchMap:       arches(),
-		Syscalls:      syscalls,
+		DefaultAction:   ActErrno,
+		DefaultErrnoRet: &enosys,
+		ArchMap:         arches(),
+		Syscalls:        syscalls,
 	}
 }