Fix seccomp contributed profile for clone syscall #3314

KentaTada · 2019-05-31T02:27:32Z

All clone flags for namespace should be denied.
Also x/sys should be used instead of syscall.

Signed-off-by: Kenta Tada [email protected]

theopenlab-ci · 2019-05-31T02:44:15Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 08s (non-voting)

theopenlab-ci · 2019-05-31T03:11:56Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 03s (non-voting)

codecov-io · 2019-05-31T03:21:57Z

Codecov Report

Merging #3314 into master will not change coverage.
The diff coverage is n/a.

@@          Coverage Diff           @@
##           master   #3314   +/-   ##
======================================
  Coverage    44.6%   44.6%           
======================================
  Files         112     112           
  Lines       12180   12180           
======================================
  Hits         5433    5433           
  Misses       5913    5913           
  Partials      834     834

Flag	Coverage Δ
#linux	`48.49% <ø> (ø)`	⬆️
#windows	`39.87% <ø> (ø)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0e7a3c9...1442839. Read the comment docs.

codecov-io · 2019-05-31T03:21:58Z

Codecov Report

Merging #3314 into master will not change coverage.
The diff coverage is n/a.

@@          Coverage Diff           @@
##           master   #3314   +/-   ##
======================================
  Coverage    44.6%   44.6%           
======================================
  Files         112     112           
  Lines       12180   12180           
======================================
  Hits         5433    5433           
  Misses       5913    5913           
  Partials      834     834

Flag	Coverage Δ
#linux	`48.49% <ø> (ø)`	⬆️
#windows	`39.87% <ø> (ø)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1c5b384...5b9a43d. Read the comment docs.

estesp · 2019-05-31T14:29:45Z

This looks reasonable; however, given this is contributed content (contrib/) outside the core implementation can we change the PR title from "default profile" to "contributed profile" (in the commit message as well) so that anyone searching through issues/PRs in the future doesn't get the wrong idea that containerd uses a seccomp profile by default?

Thanks!

theopenlab-ci · 2019-06-03T01:12:37Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 15s (non-voting)

theopenlab-ci · 2019-06-03T01:51:20Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 32s (non-voting)

theopenlab-ci · 2019-06-03T02:25:35Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 08s (non-voting)

theopenlab-ci · 2019-06-03T05:13:37Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 18s (non-voting)

All clone flags for namespace should be denied. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada <[email protected]>

theopenlab-ci · 2019-06-03T05:40:28Z

Build succeeded.

containerd-build-arm64 : SUCCESS in 8m 04s (non-voting)

KentaTada · 2019-06-03T06:27:28Z

@estesp Thank you for the review. I changed the title and comment. Could you confirm it?

crosbymichael · 2019-06-03T14:22:36Z

LGTM

estesp

LGTM

thaJeztah · 2019-06-03T16:51:29Z

@KentaTada could you check if changes are needed to the default seccomp profile in moby/moby? https://github.com/moby/moby/blob/61da822eeb7905a61eeaf18ea386e1a786cf0601/profiles/seccomp/seccomp_default.go#L517-L538

thaJeztah · 2019-06-03T16:51:36Z

@justincormack ptal

justincormack · 2019-06-03T16:53:49Z

@thaJeztah yes the changes should be the same on moby/moby

thaJeztah · 2019-06-03T17:48:45Z

Thx, yes, found the difference after posting here; let me do a PR for moby/moby

thaJeztah · 2019-06-03T18:03:30Z

opened moby/moby#39308

This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <[email protected]>

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from 32bfa60 to add4120 Compare May 31, 2019 02:35

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from add4120 to 1442839 Compare May 31, 2019 03:01

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from 1442839 to f811b4a Compare June 3, 2019 01:03

KentaTada changed the title ~~Fix seccomp default profile for clone syscall~~ Fix seccomp contributed profile for clone syscall Jun 3, 2019

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from f811b4a to 30bdb45 Compare June 3, 2019 01:41

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from 30bdb45 to c3b49b6 Compare June 3, 2019 02:13

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from c3b49b6 to 767d5f4 Compare June 3, 2019 05:04

Fix seccomp contributed profile for clone syscall

5b9a43d

All clone flags for namespace should be denied. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada <[email protected]>

KentaTada force-pushed the fix-clone-seccomp-cgroupns branch from 767d5f4 to 5b9a43d Compare June 3, 2019 05:31

estesp approved these changes Jun 3, 2019

View reviewed changes

estesp merged commit 48a1fca into containerd:master Jun 3, 2019

thaJeztah mentioned this pull request Jun 3, 2019

Fix seccomp profile for clone syscall moby/moby#39308

Merged

KentaTada mentioned this pull request Jun 4, 2019

seccomp: add CloneNewCgroup to check sysCloneFlagsIndex opencontainers/runtime-tools#694

Merged

KentaTada mentioned this pull request Jun 4, 2019

libcontainer: change seccomp test for clone syscall opencontainers/runc#2067

Merged

thaJeztah mentioned this pull request Aug 24, 2020

[19.03 backport] seccomp profile updates moby/moby#41381

Closed

Fix seccomp contributed profile for clone syscall #3314

Fix seccomp contributed profile for clone syscall #3314

Uh oh!

Conversation

KentaTada commented May 31, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

theopenlab-ci bot commented May 31, 2019

Uh oh!

theopenlab-ci bot commented May 31, 2019

Uh oh!

codecov-io commented May 31, 2019

Codecov Report

Uh oh!

codecov-io commented May 31, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

estesp commented May 31, 2019

Uh oh!

theopenlab-ci bot commented Jun 3, 2019

Uh oh!

theopenlab-ci bot commented Jun 3, 2019

Uh oh!

theopenlab-ci bot commented Jun 3, 2019

Uh oh!

theopenlab-ci bot commented Jun 3, 2019

Uh oh!

theopenlab-ci bot commented Jun 3, 2019

Uh oh!

KentaTada commented Jun 3, 2019

Uh oh!

crosbymichael commented Jun 3, 2019

Uh oh!

estesp left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Jun 3, 2019

Uh oh!

thaJeztah commented Jun 3, 2019

Uh oh!

justincormack commented Jun 3, 2019

Uh oh!

thaJeztah commented Jun 3, 2019

Uh oh!

thaJeztah commented Jun 3, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

KentaTada commented May 31, 2019 •

edited

Loading

codecov-io commented May 31, 2019 •

edited

Loading