seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #4491
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Relates to moby/moby#37897 "docker exposes dmesg to containers by default" See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
seccomp_syslog
branch
from
12e2c03 to
267a0cf
Compare
Member
Author
|
@justincormack ptal |
|
Build succeeded.
|
|
Build succeeded.
|
Member
|
LGTM |
AkihiroSuda
added
the
cherry-picked/1.4.x
kevpar
added a commit
to kevpar/containerd
that referenced
this pull request
Oct 26, 2020
containerd 1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. * Always consume shim logs to prevent logs in the shim from blocking [containerd#4546](containerd#4546) * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` [containerd#4472](containerd#4472) * Fix metrics monitoring of v2 runtime tasks [containerd#4486](containerd#4486) * Fix incorrect stat for Windows containers [containerd#4468](containerd#4468) * Fix devmapper device deletion on rollback [containerd#4437](containerd#4437) * Update seccomp default profile [containerd#4481](containerd#4481) [containerd#4491](containerd#4491) [containerd#4492](containerd#4492) [containerd#4493](containerd#4493) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Sebastiaan van Stijn * Derek McGowan * Wei Fu * Brian Goff * Akihiro Suda * Antonio Ojea * Jintao Zhang * Phil Estes * Kazuyoshi Kato * Li Yuxuan * Mike Brown * Prashant Bhutani <details><summary>36 commits</summary> <p> * [`c623d1b3`](containerd@c623d1b) Merge pull request [containerd#4564](containerd#4564) from dmcgowan/prepare-1.4.1 * [`97d690d2`](containerd@97d690d) Prepare v1.4.1 release * [`910da2fb`](containerd@910da2f) Merge pull request [containerd#4555](containerd#4555) from thaJeztah/1.4_backport_bumpcni * [`ca3b91d8`](containerd@ca3b91d) Merge pull request [containerd#4560](containerd#4560) from dmcgowan/backport-4546 * [`42f38718`](containerd@42f3871) Always consume shim logs * [`ea29a60a`](containerd@ea29a60) Merge pull request [containerd#4558](containerd#4558) from thaJeztah/1.4_backport_winstats * [`db931948`](containerd@db93194) Merge pull request [containerd#4557](containerd#4557) from thaJeztah/1.4_backport_makefile_test_tags * [`9b5066aa`](containerd@9b5066a) Merge pull request [containerd#4556](containerd#4556) from thaJeztah/1.4_backport_fix_static_plugin * [`3bcce819`](containerd@3bcce81) Merge pull request [containerd#4554](containerd#4554) from thaJeztah/1.4_backport_add_openat2_syscall * [`98a733e0`](containerd@98a733e) Merge pull request [containerd#4552](containerd#4552) from thaJeztah/1.4_backport_shim_exec_p_debug * [`f247618a`](containerd@f247618) Report correct stats for windows containers * [`cc5d1518`](containerd@cc5d151) Update go list to respect build tags * [`086e859d`](containerd@086e859) BUILDING.md: fix description about static builds * [`16712ae4`](containerd@16712ae) bump cni version to v0.8.0 * [`1575c88c`](containerd@1575c88) seccomp: add `faccessat2` syscall. * [`8bd2bece`](containerd@8bd2bec) seccomp: add `openat2` syscall. * [`4e3397e0`](containerd@4e3397e) shimv1: downgrade poroccess missing log to debug * [`6b5fc7f2`](containerd@6b5fc7f) Merge pull request [containerd#4542](containerd#4542) from thaJeztah/1.4_backport_forward_signal_not_found * [`d118c90d`](containerd@d118c90) Ignore SIGURG signals in signal forwarder * [`3ee6189f`](containerd@3ee6189) Exit signal forward if process not found * [`1a367762`](containerd@1a36776) Merge pull request [containerd#4512](containerd#4512) from fuweid/14-cherry-pick-4486 * [`a1289d6b`](containerd@a1289d6) tasks: Monitor v2 tasks in initFunc as well * [`12f20c99`](containerd@12f20c9) Merge pull request [containerd#4503](containerd#4503) from thaJeztah/1.4_backport_seccomp_updates * [`1f823f76`](containerd@1f823f7) seccomp: allow io-uring related system calls * [`3d28944b`](containerd@3d28944) seccomp: allow clock_settime when CAP_SYS_TIME is added * [`e5cc7d52`](containerd@e5cc7d5) seccomp: allow quotactl with CAP_SYS_ADMIN * [`20273a80`](containerd@20273a8) seccomp: allow sync_file_range2 on supported architectures. * [`357d1002`](containerd@357d100) seccomp: allow personality with UNAME26 bit set * [`0c9de662`](containerd@0c9de66) seccomp: allow syscall membarrier * [`caa46116`](containerd@caa4611) seccomp: allow adjtimex get time operation * [`2b80b7dc`](containerd@2b80b7d) seccomp: allow add preadv2 and pwritev2 syscalls * [`e71eccbc`](containerd@e71eccb) seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG * [`881db9b5`](containerd@881db9b) Merge pull request [containerd#4499](containerd#4499) from fuweid/cherry-pick-4472 * [`feff914a`](containerd@feff914) runtime: ignore ErrNotExist when remove rootfs * [`94c8bd94`](containerd@94c8bd9) Merge pull request [containerd#4496](containerd#4496) from kzys/backport-1.4-4437 * [`23e0ea27`](containerd@23e0ea2) snapshots/devmapper: fix rollback </p> </details> <details><summary>4 commits</summary> <p> * [`8fbf363`](containerd/go-cni@8fbf363) Merge pull request [containerd#56](containerd/go-cni#56) from aojea/bumpcni * [`49657db`](containerd/go-cni@49657db) bump containernetworking/cni dependency to 0.8.0 * [`1582593`](containerd/go-cni@1582593) Merge pull request [containerd#58](containerd/go-cni#58) from fuweid/update-readme-usage * [`8ffba88`](containerd/go-cni@8ffba88) README.md: update Usage case </p> </details> * **github.com/containerd/go-cni** v1.0.0 -> v1.0.1 * **github.com/containernetworking/cni** v0.7.1 -> v0.8.0 * **github.com/containernetworking/plugins** v0.7.6 -> v0.8.6 Previous release can be found at [v1.4.0](https://github.com/containerd/containerd/releases/tag/v1.4.0)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
equivalent of moby/moby#37929
This call is what is used to implement
dmesgto get kernel messagesabout the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl
kernel.dmesg_restrict = 1is set, but this is not setby standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.
Relates to moby/moby#37897 "docker exposes dmesg to containers by default"
See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html