From adee333df76c02d99c740cf82cdf6074cade49b9 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 24 May 2021 12:33:14 +0200 Subject: [PATCH 1/2] seccomp: add support for defaultErrnoRet Add support to specify the default errno return value. The OCI runtime specs already have support for it, and both crun (>= 0.19) and runc (>= 1.0-rc95) have support for it. Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/conversion.go | 1 + pkg/seccomp/filter.go | 2 +- pkg/seccomp/seccomp_linux.go | 1 + pkg/seccomp/types.go | 3 ++- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/seccomp/conversion.go b/pkg/seccomp/conversion.go index dfab381a5..4c25cb1b1 100644 --- a/pkg/seccomp/conversion.go +++ b/pkg/seccomp/conversion.go @@ -118,6 +118,7 @@ func specToSeccomp(spec *specs.LinuxSeccomp) (*Seccomp, error) { return nil, errors.Wrap(err, "convert default action") } res.DefaultAction = newDefaultAction + res.DefaultErrnoRet = spec.DefaultErrnoRet // Loop through all syscall blocks and convert them to the internal format for _, call := range spec.Syscalls { diff --git a/pkg/seccomp/filter.go b/pkg/seccomp/filter.go index ac9b2698f..90da99f0a 100644 --- a/pkg/seccomp/filter.go +++ b/pkg/seccomp/filter.go @@ -41,7 +41,7 @@ func BuildFilter(spec *specs.LinuxSeccomp) (*libseccomp.ScmpFilter, error) { return nil, errors.Wrap(err, "convert spec to seccomp profile") } - defaultAction, err := toAction(profile.DefaultAction, nil) + defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet) if err != nil { return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction) } diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go index 19500cc97..af36b9990 100644 --- a/pkg/seccomp/seccomp_linux.go +++ b/pkg/seccomp/seccomp_linux.go @@ -111,6 +111,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) } newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) + newConfig.DefaultErrnoRet = config.DefaultErrnoRet Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go index 7b0436dfc..36712458a 100644 --- a/pkg/seccomp/types.go +++ b/pkg/seccomp/types.go @@ -6,7 +6,8 @@ package seccomp // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { - DefaultAction Action `json:"defaultAction"` + DefaultAction Action `json:"defaultAction"` + DefaultErrnoRet *uint `json:"defaultErrnoRet"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"` From 81cd342b5c3ca4c0497fc552eafa381524548811 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 24 May 2021 12:33:35 +0200 Subject: [PATCH 2/2] seccomp: switch default to ENOSYS add the currently blocked syscalls to a deny-list and switch the default to ENOSYS. Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/default_linux.go | 184 ++++++++++++++++++++++++++++- pkg/seccomp/seccomp.json | 219 +++++++++++++++++++++++++++++++++++ 2 files changed, 400 insertions(+), 3 deletions(-) diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go index 423c983ff..edb1294d6 100644 --- a/pkg/seccomp/default_linux.go +++ b/pkg/seccomp/default_linux.go @@ -44,8 +44,54 @@ func arches() []Architecture { // DefaultProfile defines the allowlist for the default seccomp profile. func DefaultProfile() *Seccomp { einval := uint(unix.EINVAL) + enosys := uint(unix.ENOSYS) + eperm := uint(unix.EPERM) syscalls := []*Syscall{ + { + Names: []string{ + "bdflush", + "clone3", + "io_pgetevents", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "kexec_file_load", + "kexec_load", + "membarrier", + "migrate_pages", + "move_pages", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "rseq", + "sgetmask", + "ssetmask", + "swapcontext", + "swapoff", + "swapon", + "sysfs", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + }, { Names: []string{ "_llseek", @@ -255,6 +301,7 @@ func DefaultProfile() *Seccomp { "pwritev2", "read", "readahead", + "readdir", "readlink", "readlinkat", "readv", @@ -522,6 +569,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, + { + Names: []string{ + "open_by_handle_at", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_DAC_READ_SEARCH"}, + }, + }, { Names: []string{ "bpf", @@ -539,6 +597,24 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_ADMIN"}, }, }, + { + Names: []string{ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, { Names: []string{ "chroot", @@ -549,6 +625,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_CHROOT"}, }, }, + { + Names: []string{ + "chroot", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_CHROOT"}, + }, + }, { Names: []string{ "delete_module", @@ -562,6 +649,20 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_MODULE"}, }, }, + { + Names: []string{ + "delete_module", + "init_module", + "finit_module", + "query_module", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_MODULE"}, + }, + }, { Names: []string{ "get_mempolicy", @@ -574,6 +675,19 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_NICE"}, }, }, + { + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_NICE"}, + }, + }, { Names: []string{ "acct", @@ -584,6 +698,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_PACCT"}, }, }, + { + Names: []string{ + "acct", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_PACCT"}, + }, + }, { Names: []string{ "kcmp", @@ -598,6 +723,21 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_PTRACE"}, }, }, + { + Names: []string{ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_PTRACE"}, + }, + }, { Names: []string{ "iopl", @@ -609,6 +749,18 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_RAWIO"}, }, }, + { + Names: []string{ + "iopl", + "ioperm", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_RAWIO"}, + }, + }, { Names: []string{ "settimeofday", @@ -622,6 +774,20 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_TIME"}, }, }, + { + Names: []string{ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_TIME"}, + }, + }, { Names: []string{ "vhangup", @@ -632,6 +798,17 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, + { + Names: []string{ + "vhangup", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_TTY_CONFIG"}, + }, + }, { Names: []string{ "socket", @@ -714,8 +891,9 @@ func DefaultProfile() *Seccomp { } return &Seccomp{ - DefaultAction: ActErrno, - ArchMap: arches(), - Syscalls: syscalls, + DefaultAction: ActErrno, + DefaultErrnoRet: &enosys, + ArchMap: arches(), + Syscalls: syscalls, } } diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json index a87f73524..885240e50 100644 --- a/pkg/seccomp/seccomp.json +++ b/pkg/seccomp/seccomp.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", @@ -50,6 +51,53 @@ } ], "syscalls": [ + { + "names": [ + "bdflush", + "clone3", + "io_pgetevents", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "kexec_file_load", + "kexec_load", + "membarrier", + "migrate_pages", + "move_pages", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "rseq", + "sgetmask", + "ssetmask", + "swapcontext", + "swapoff", + "swapon", + "sysfs", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": {}, + "errnoRet": 1 + }, { "names": [ "_llseek", @@ -259,6 +307,7 @@ "pwritev2", "read", "readahead", + "readdir", "readlink", "readlinkat", "readv", @@ -588,6 +637,21 @@ }, "excludes": {} }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "errnoRet": 1 + }, { "names": [ "bpf", @@ -609,6 +673,28 @@ }, "excludes": {} }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "errnoRet": 1 + }, { "names": [ "chroot" @@ -623,6 +709,21 @@ }, "excludes": {} }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "errnoRet": 1 + }, { "names": [ "delete_module", @@ -640,6 +741,24 @@ }, "excludes": {} }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "errnoRet": 1 + }, { "names": [ "get_mempolicy", @@ -656,6 +775,23 @@ }, "excludes": {} }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "errnoRet": 1 + }, { "names": [ "acct" @@ -670,6 +806,21 @@ }, "excludes": {} }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "errnoRet": 1 + }, { "names": [ "kcmp", @@ -688,6 +839,25 @@ }, "excludes": {} }, + { + "names": [ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "errnoRet": 1 + }, { "names": [ "iopl", @@ -703,6 +873,22 @@ }, "excludes": {} }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "errnoRet": 1 + }, { "names": [ "settimeofday", @@ -720,6 +906,24 @@ }, "excludes": {} }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "errnoRet": 1 + }, { "names": [ "vhangup" @@ -734,6 +938,21 @@ }, "excludes": {} }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "errnoRet": 1 + }, { "names": [ "socket"