Skip to content

Add process_vm read and write calls to default seccomp profile#7693

Merged
kzys merged 1 commit intocontainerd:mainfrom
hoyosjs:juhoyosa/enable-ptrace-proc-vm-apis
Nov 21, 2022
Merged

Add process_vm read and write calls to default seccomp profile#7693
kzys merged 1 commit intocontainerd:mainfrom
hoyosjs:juhoyosa/enable-ptrace-proc-vm-apis

Conversation

@hoyosjs
Copy link
Copy Markdown
Contributor

@hoyosjs hoyosjs commented Nov 18, 2022

Follow up to 94faa70. The commit referenced allowed ptrace calls in the default seccomp profile following the usual tracing security checks in for Kernels newer than 4.8. Kernels prior to this version are susceptible to CVE-2019-2054. Moby's default had allowed for ptrace for kernels newer than 4.8 at the time the commit was created. The current seccomp default has been updated to include process_vm_read and process_vm_write. Mirror that policy to complete the classic ptrace set of APIs.

Signed-off-by: Juan Sebastian Hoyos Ayala [email protected]

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Nov 18, 2022

Hi @hoyosjs. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@AkihiroSuda
Copy link
Copy Markdown
Member

AkihiroSuda commented Nov 18, 2022

Please squash commits, then LGTM

@hoyosjs
Add process_vm read and write calls to default seccomp profile
e224f77 
Follow up to 94faa70. The commit referenced allowed `ptrace` calls in the default seccomp profile following the usual tracing security checks in for Kernels newer than 4.8. Kernels prior to this version are susceptible to [CVE-2019-2054](GHSA-qgfr-27qf-f323).  Moby's default had allowed for `ptrace` for kernels newer than 4.8 at the time the commit was created. The current [seccomp default](https://github.com/moby/moby/blob/master/profiles/seccomp/default_linux.go#L405-L417) has been updated to include `process_vm_read` and `process_vm_write`. Mirror that policy to complete the classic ptrace set of APIs.

Signed-off-by: Juan Hoyos <[email protected]>
@hoyosjs hoyosjs force-pushed the juhoyosa/enable-ptrace-proc-vm-apis branch from 779ecee to e224f77 Compare November 18, 2022 15:54
@hoyosjs
Copy link
Copy Markdown
Contributor Author

hoyosjs commented Nov 18, 2022

@AkihiroSuda done, thanks

estesp
estesp approved these changes Nov 20, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kzys kzys merged commit 20cb9a9 into containerd:main Nov 21, 2022
@hoyosjs hoyosjs deleted the juhoyosa/enable-ptrace-proc-vm-apis branch November 23, 2022 17:31
@cji cji mentioned this pull request Dec 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzys kzys kzys approved these changes

@estesp estesp estesp approved these changes

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hoyosjs @k8s-ci-robot @AkihiroSuda @kzys @estesp