Skip to content

Commit 02d93ad

Browse files
mxpvmxpv
authored
Merge pull request #4561 from thaJeztah/1.3_backport_seccomp_updates
[release/1.3] backport seccomp profile updates
2 parents 6f8f27a + 1f5b5c9 commit 02d93ad

3 files changed

Lines changed: 74 additions & 10 deletions

File tree

SCOPE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,6 @@ containerd is designed to be embedded into a larger system, hence it only includ
5252

5353
### How is the scope changed?
5454

55-
The scope of this project is a whitelist.
55+
The scope of this project is an allowed list.
5656
If it's not mentioned as being in scope, it is out of scope.
5757
For the scope of this project to change it requires a 100% vote from all maintainers of the project.

contrib/seccomp/seccomp_default.go

Lines changed: 72 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -47,15 +47,15 @@ func arches() []specs.Arch {
4747
}
4848
}
4949

50-
// DefaultProfile defines the whitelist for the default seccomp profile.
50+
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
5151
func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
5252
syscalls := []specs.LinuxSyscall{
5353
{
5454
Names: []string{
5555
"accept",
5656
"accept4",
5757
"access",
58-
"alarm",
58+
"adjtimex",
5959
"alarm",
6060
"bind",
6161
"brk",
@@ -65,9 +65,14 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
6565
"chmod",
6666
"chown",
6767
"chown32",
68+
"clock_adjtime",
69+
"clock_adjtime64",
6870
"clock_getres",
71+
"clock_getres_time64",
6972
"clock_gettime",
73+
"clock_gettime64",
7074
"clock_nanosleep",
75+
"clock_nanosleep_time64",
7176
"close",
7277
"connect",
7378
"copy_file_range",
@@ -118,6 +123,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
118123
"ftruncate",
119124
"ftruncate64",
120125
"futex",
126+
"futex_time64",
121127
"futimesat",
122128
"getcpu",
123129
"getcwd",
@@ -164,10 +170,14 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
164170
"io_destroy",
165171
"io_getevents",
166172
"io_pgetevents",
173+
"io_pgetevents_time64",
167174
"ioprio_get",
168175
"ioprio_set",
169176
"io_setup",
170177
"io_submit",
178+
"io_uring_enter",
179+
"io_uring_register",
180+
"io_uring_setup",
171181
"ipc",
172182
"kill",
173183
"lchown",
@@ -185,6 +195,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
185195
"lstat",
186196
"lstat64",
187197
"madvise",
198+
"membarrier",
188199
"memfd_create",
189200
"mincore",
190201
"mkdir",
@@ -201,7 +212,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
201212
"mq_notify",
202213
"mq_open",
203214
"mq_timedreceive",
215+
"mq_timedreceive_time64",
204216
"mq_timedsend",
217+
"mq_timedsend_time64",
205218
"mq_unlink",
206219
"mremap",
207220
"msgctl",
@@ -223,13 +236,17 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
223236
"pipe2",
224237
"poll",
225238
"ppoll",
239+
"ppoll_time64",
226240
"prctl",
227241
"pread64",
228242
"preadv",
243+
"preadv2",
229244
"prlimit64",
230245
"pselect6",
246+
"pselect6_time64",
231247
"pwrite64",
232248
"pwritev",
249+
"pwritev2",
233250
"read",
234251
"readahead",
235252
"readlink",
@@ -238,6 +255,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
238255
"recv",
239256
"recvfrom",
240257
"recvmmsg",
258+
"recvmmsg_time64",
241259
"recvmsg",
242260
"remap_file_pages",
243261
"removexattr",
@@ -246,13 +264,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
246264
"renameat2",
247265
"restart_syscall",
248266
"rmdir",
267+
"rseq",
249268
"rt_sigaction",
250269
"rt_sigpending",
251270
"rt_sigprocmask",
252271
"rt_sigqueueinfo",
253272
"rt_sigreturn",
254273
"rt_sigsuspend",
255274
"rt_sigtimedwait",
275+
"rt_sigtimedwait_time64",
256276
"rt_tgsigqueueinfo",
257277
"sched_getaffinity",
258278
"sched_getattr",
@@ -261,6 +281,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
261281
"sched_get_priority_min",
262282
"sched_getscheduler",
263283
"sched_rr_get_interval",
284+
"sched_rr_get_interval_time64",
264285
"sched_setaffinity",
265286
"sched_setattr",
266287
"sched_setparam",
@@ -272,6 +293,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
272293
"semget",
273294
"semop",
274295
"semtimedop",
296+
"semtimedop_time64",
275297
"send",
276298
"sendfile",
277299
"sendfile64",
@@ -331,18 +353,21 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
331353
"sync_file_range",
332354
"syncfs",
333355
"sysinfo",
334-
"syslog",
335356
"tee",
336357
"tgkill",
337358
"time",
338359
"timer_create",
339360
"timer_delete",
340-
"timerfd_create",
341-
"timerfd_gettime",
342-
"timerfd_settime",
343361
"timer_getoverrun",
344362
"timer_gettime",
363+
"timer_gettime64",
345364
"timer_settime",
365+
"timer_settime64",
366+
"timerfd_create",
367+
"timerfd_gettime",
368+
"timerfd_gettime64",
369+
"timerfd_settime",
370+
"timerfd_settime64",
346371
"times",
347372
"tkill",
348373
"truncate",
@@ -354,6 +379,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
354379
"unlinkat",
355380
"utime",
356381
"utimensat",
382+
"utimensat_time64",
357383
"utimes",
358384
"vfork",
359385
"vmsplice",
@@ -388,6 +414,28 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
388414
},
389415
},
390416
},
417+
{
418+
Names: []string{"personality"},
419+
Action: specs.ActAllow,
420+
Args: []specs.LinuxSeccompArg{
421+
{
422+
Index: 0,
423+
Value: 0x20000,
424+
Op: specs.OpEqualTo,
425+
},
426+
},
427+
},
428+
{
429+
Names: []string{"personality"},
430+
Action: specs.ActAllow,
431+
Args: []specs.LinuxSeccompArg{
432+
{
433+
Index: 0,
434+
Value: 0x20008,
435+
Op: specs.OpEqualTo,
436+
},
437+
},
438+
},
391439
{
392440
Names: []string{"personality"},
393441
Action: specs.ActAllow,
@@ -409,11 +457,20 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
409457

410458
// include by arch
411459
switch runtime.GOARCH {
460+
case "ppc64le":
461+
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
462+
Names: []string{
463+
"sync_file_range2",
464+
},
465+
Action: specs.ActAllow,
466+
Args: []specs.LinuxSeccompArg{},
467+
})
412468
case "arm", "arm64":
413469
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
414470
Names: []string{
415471
"arm_fadvise64_64",
416472
"arm_sync_file_range",
473+
"sync_file_range2",
417474
"breakpoint",
418475
"cacheflush",
419476
"set_tls",
@@ -470,9 +527,11 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
470527
"mount",
471528
"name_to_handle_at",
472529
"perf_event_open",
530+
"quotactl",
473531
"setdomainname",
474532
"sethostname",
475533
"setns",
534+
"syslog",
476535
"umount",
477536
"umount2",
478537
"unshare",
@@ -498,7 +557,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
498557
"delete_module",
499558
"init_module",
500559
"finit_module",
501-
"query_module",
502560
},
503561
Action: specs.ActAllow,
504562
Args: []specs.LinuxSeccompArg{},
@@ -534,7 +592,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
534592
Names: []string{
535593
"settimeofday",
536594
"stime",
537-
"adjtimex",
595+
"clock_settime",
538596
},
539597
Action: specs.ActAllow,
540598
Args: []specs.LinuxSeccompArg{},
@@ -545,6 +603,12 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
545603
Action: specs.ActAllow,
546604
Args: []specs.LinuxSeccompArg{},
547605
})
606+
case "CAP_SYSLOG":
607+
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
608+
Names: []string{"syslog"},
609+
Action: specs.ActAllow,
610+
Args: []specs.LinuxSeccompArg{},
611+
})
548612
}
549613
}
550614

contrib/seccomp/seccomp_default_unsupported.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ package seccomp
2020

2121
import specs "github.com/opencontainers/runtime-spec/specs-go"
2222

23-
// DefaultProfile defines the whitelist for the default seccomp profile.
23+
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
2424
func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
2525
return &specs.LinuxSeccomp{}
2626
}

0 commit comments

Comments
 (0)