[release/1.4] backport seccomp profile updates #4503
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Relates to moby/moby#37897 "docker exposes dmesg to containers by default" See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 267a0cf) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 7e7545e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Enabled adjtimex in the default profile without requiring CAP_SYS_TIME privilege.
The kernel will check CAP_SYS_TIME and won't allow setting the time.
Fixes: Getting the system time with ntptime returns an error in an unprivileged
container
To verify, inside a CentOS 7 container:
yum install -y ntp
ntptime
# ntp_gettime() returns code 0 (OK)
ntpdate -v time.nist.gov
# ntpdate[84]: Can't adjust the time of day: Operation not permitted
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 1746a19)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Add the membarrier syscall to the default seccomp profile. It is for example used in the implementation of dlopen() in the musl libc of Alpine images. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit fc9e5d1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
From personality(2):
Have uname(2) report a 2.6.40+ version number rather than a 3.x version
number. Added as a stopgap measure to support broken applications that
could not handle the kernel version-numbering switch from 2.6.x to 3.x.
This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32".
Fixes: "setarch broken in docker packages from Debian stretch"
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 117d678)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
On a ppc64le host, running postgres (tried with 9.4 to 9.6) gives the following
warning when trying to flush data to disks (which happens very frequently):
WARNING: could not flush dirty data: Operation not permitted.
A quick dig in postgres source code indicate it uses sync_file_range(2) to
flush data; which on ppe64le and arm64 is translated to sync_file_range2(2)
for alignements reasons.
The profile did not allow sync_file_range2(2), making postgres sad because
it can not flush its buffers. arm_sync_file_range(2) is an ancient alias to
sync_file_range2(2), the syscall was renamed in Linux 2.6.22 when the same
syscall was added for PowerPC.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 5862285)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
This allows the quotactl syscall in the default seccomp profile, gated by CAP_SYS_ADMIN. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 5cdb6e8) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 0a5ee7e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Adds the io-uring related system call introduced in kernel 5.1 to the seccomp whitelist. With older kernels or older versions of libseccomp, this configure will be omitted. Note that io_uring will grow support for more syscalls in the future so we should keep an eye on this. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 325bac7) Signed-off-by: Sebastiaan van Stijn <[email protected]>
|
Build succeeded.
|
|
Build succeeded.
|
AkihiroSuda
approved these changes
Aug 26, 2020
kevpar
added a commit
to kevpar/containerd
that referenced
this pull request
Oct 26, 2020
containerd 1.4.1 Welcome to the v1.4.1 release of containerd! The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging on exit and exec when the log pipe fills up along with other minor changes. * Always consume shim logs to prevent logs in the shim from blocking [containerd#4546](containerd#4546) * Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist` [containerd#4472](containerd#4472) * Fix metrics monitoring of v2 runtime tasks [containerd#4486](containerd#4486) * Fix incorrect stat for Windows containers [containerd#4468](containerd#4468) * Fix devmapper device deletion on rollback [containerd#4437](containerd#4437) * Update seccomp default profile [containerd#4481](containerd#4481) [containerd#4491](containerd#4491) [containerd#4492](containerd#4492) [containerd#4493](containerd#4493) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Sebastiaan van Stijn * Derek McGowan * Wei Fu * Brian Goff * Akihiro Suda * Antonio Ojea * Jintao Zhang * Phil Estes * Kazuyoshi Kato * Li Yuxuan * Mike Brown * Prashant Bhutani <details><summary>36 commits</summary> <p> * [`c623d1b3`](containerd@c623d1b) Merge pull request [containerd#4564](containerd#4564) from dmcgowan/prepare-1.4.1 * [`97d690d2`](containerd@97d690d) Prepare v1.4.1 release * [`910da2fb`](containerd@910da2f) Merge pull request [containerd#4555](containerd#4555) from thaJeztah/1.4_backport_bumpcni * [`ca3b91d8`](containerd@ca3b91d) Merge pull request [containerd#4560](containerd#4560) from dmcgowan/backport-4546 * [`42f38718`](containerd@42f3871) Always consume shim logs * [`ea29a60a`](containerd@ea29a60) Merge pull request [containerd#4558](containerd#4558) from thaJeztah/1.4_backport_winstats * [`db931948`](containerd@db93194) Merge pull request [containerd#4557](containerd#4557) from thaJeztah/1.4_backport_makefile_test_tags * [`9b5066aa`](containerd@9b5066a) Merge pull request [containerd#4556](containerd#4556) from thaJeztah/1.4_backport_fix_static_plugin * [`3bcce819`](containerd@3bcce81) Merge pull request [containerd#4554](containerd#4554) from thaJeztah/1.4_backport_add_openat2_syscall * [`98a733e0`](containerd@98a733e) Merge pull request [containerd#4552](containerd#4552) from thaJeztah/1.4_backport_shim_exec_p_debug * [`f247618a`](containerd@f247618) Report correct stats for windows containers * [`cc5d1518`](containerd@cc5d151) Update go list to respect build tags * [`086e859d`](containerd@086e859) BUILDING.md: fix description about static builds * [`16712ae4`](containerd@16712ae) bump cni version to v0.8.0 * [`1575c88c`](containerd@1575c88) seccomp: add `faccessat2` syscall. * [`8bd2bece`](containerd@8bd2bec) seccomp: add `openat2` syscall. * [`4e3397e0`](containerd@4e3397e) shimv1: downgrade poroccess missing log to debug * [`6b5fc7f2`](containerd@6b5fc7f) Merge pull request [containerd#4542](containerd#4542) from thaJeztah/1.4_backport_forward_signal_not_found * [`d118c90d`](containerd@d118c90) Ignore SIGURG signals in signal forwarder * [`3ee6189f`](containerd@3ee6189) Exit signal forward if process not found * [`1a367762`](containerd@1a36776) Merge pull request [containerd#4512](containerd#4512) from fuweid/14-cherry-pick-4486 * [`a1289d6b`](containerd@a1289d6) tasks: Monitor v2 tasks in initFunc as well * [`12f20c99`](containerd@12f20c9) Merge pull request [containerd#4503](containerd#4503) from thaJeztah/1.4_backport_seccomp_updates * [`1f823f76`](containerd@1f823f7) seccomp: allow io-uring related system calls * [`3d28944b`](containerd@3d28944) seccomp: allow clock_settime when CAP_SYS_TIME is added * [`e5cc7d52`](containerd@e5cc7d5) seccomp: allow quotactl with CAP_SYS_ADMIN * [`20273a80`](containerd@20273a8) seccomp: allow sync_file_range2 on supported architectures. * [`357d1002`](containerd@357d100) seccomp: allow personality with UNAME26 bit set * [`0c9de662`](containerd@0c9de66) seccomp: allow syscall membarrier * [`caa46116`](containerd@caa4611) seccomp: allow adjtimex get time operation * [`2b80b7dc`](containerd@2b80b7d) seccomp: allow add preadv2 and pwritev2 syscalls * [`e71eccbc`](containerd@e71eccb) seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG * [`881db9b5`](containerd@881db9b) Merge pull request [containerd#4499](containerd#4499) from fuweid/cherry-pick-4472 * [`feff914a`](containerd@feff914) runtime: ignore ErrNotExist when remove rootfs * [`94c8bd94`](containerd@94c8bd9) Merge pull request [containerd#4496](containerd#4496) from kzys/backport-1.4-4437 * [`23e0ea27`](containerd@23e0ea2) snapshots/devmapper: fix rollback </p> </details> <details><summary>4 commits</summary> <p> * [`8fbf363`](containerd/go-cni@8fbf363) Merge pull request [containerd#56](containerd/go-cni#56) from aojea/bumpcni * [`49657db`](containerd/go-cni@49657db) bump containernetworking/cni dependency to 0.8.0 * [`1582593`](containerd/go-cni@1582593) Merge pull request [containerd#58](containerd/go-cni#58) from fuweid/update-readme-usage * [`8ffba88`](containerd/go-cni@8ffba88) README.md: update Usage case </p> </details> * **github.com/containerd/go-cni** v1.0.0 -> v1.0.1 * **github.com/containernetworking/cni** v0.7.1 -> v0.8.0 * **github.com/containernetworking/plugins** v0.7.6 -> v0.8.6 Previous release can be found at [v1.4.0](https://github.com/containerd/containerd/releases/tag/v1.4.0)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports of: