seccomp: Support PKU in docker by default by Bonjourz · Pull Request #43490 · moby/moby

Bonjourz · 2022-04-15T03:40:34Z

Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
Similar to mprotect(), pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure its own memory of the process, so they are existing "safe for everyone" syscalls.

Such syscalls were added to Linux in kernel 4.9
More details can be found in the man page

What I did
I add pkey_alloc(), pkey_free()andpkey_mprotect()` into the default syscall's white list.
How I did it
Modify profiles/seccomp/default.json and profiles/seccomp/default_linux.go, append pkey_alloc(), pkey_free() and pkey_mprotect() to the default syscall list.

How to verify it

Here is the sample code (test.c):

#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#define BUF_SIZE    (0x1000)
int main() {
    int ret = -1, pkey = -1;
    ret = pkey_alloc(0, 0);
    if (ret < 0) {
        perror("Cannot invoke pkey_alloc() successfully");
        exit(-1);
    } else {
        pkey = ret;
        char *buf = (char *)mmap(NULL, BUF_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
        if (buf == MAP_FAILED) {
            perror("Cannot invoke mmap() successfully");
            exit(-1);
        }
        ret = pkey_mprotect(buf, BUF_SIZE, PROT_READ | PROT_WRITE, pkey);
        if (ret < 0) {
            perror("Cannot invoke pkey_mprotect() successfully");
            exit(-1);
        }
        ret = munmap(buf, BUF_SIZE);
        if (ret < 0) {
            perror("Cannot invoke munmap() successfully");
            exit(-1);
        }
        ret = pkey_free(pkey);
        if (ret < 0) {
            perror("Cannot invoke pkey_free() successfully");
            exit(-1);
        }
    }
    printf("PKU related syscalls are allowed in container environment!\n");
    return 0;
}

Compile it first:

gcc -o test test.c

docker run -it -v ${PWD}:/root/test --security-opt seccomp=${PWD}/profiles/seccomp/default.json ubuntu::20.04

Run test in docker:

/root/test/test

and will get the output:

PKU related syscalls are allowed in container environment!

Description for the changelog
profiles/seccomp/default.json and profiles/seccomp/default_linux.go: Add pkey_alloc(), pkey_free() and pkey_mprotect() to the default white list.
A picture of a cute animal (not mandatory but encouraged)

tianon · 2022-04-19T23:33:18Z

cc @justincormack

cpuguy83 · 2022-04-20T18:39:01Z

This seems like it would be ok.
I would say this paragraph seems a bit ambiguous to me if the limit is per process.

   To use the pkeys feature, the processor must support it, and the
   kernel must contain support for the feature on a given processor.
   As of early 2016 only future Intel x86 processors are supported,
   and this hardware supports 16 protection keys in each process.
   However, pkey 0 is used as the default key, so a maximum of 15
   are available for actual application use.

If it is indeed per process this seems OK.
That said you can change the default seccomp profile of a daemon by setting the --secomp-profile flag on dockerd.

Bonjourz · 2022-04-21T02:12:36Z

Hi @cpuguy83 , could you provide more details to show which statement confuses you?
As mentioned in #43490 (comment), pkey_alloc(), pkey_free() and pkey_mprotect() can only takes effect on its process's own memory, they do nothing with other processes.

You also mentioned:

That said you can change the default seccomp profile of a daemon by setting the --secomp-profile flag on dockerd.

Add --seccomp-profile works for us, but such solution seems not to be elegant, since developer may need to update legacy command in some production environments. My propose is to support pkey_alloc(), pkey_free() and pkey_mprotect() syscalls in seccomp default profile smoothly, similar to mprotect().

Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile. pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure the calling process's own memory, so they are existing "safe for everyone" syscalls. close issue: moby#43481 Signed-off-by: zhubojun <[email protected]>

Bonjourz · 2022-07-11T01:53:46Z

Hi, is there anyone help me review this PR? Thanks for your time!

Bonjourz marked this pull request as ready for review April 15, 2022 03:43

samuelkarp added status/0-triage area/security/seccomp labels Apr 15, 2022

Bonjourz force-pushed the 43481_support_pku branch 2 times, most recently from bd93981 to 96afe3e Compare April 15, 2022 03:53

thaJeztah changed the title ~~Support PKU in docker by default~~ seccomp: Support PKU in docker by default May 28, 2022

thaJeztah added the impact/changelog label May 28, 2022

thaJeztah requested review from AkihiroSuda and justincormack May 28, 2022 15:22

Bonjourz force-pushed the 43481_support_pku branch from 96afe3e to e258d66 Compare July 11, 2022 01:51

thaJeztah added status/2-code-review and removed status/0-triage labels Jul 13, 2022

justincormack approved these changes Jul 13, 2022

View reviewed changes

tianon approved these changes Jul 13, 2022

View reviewed changes

tianon merged commit dc4ab45 into moby:master Jul 13, 2022

thaJeztah added this to the v-next milestone Jul 13, 2022

thaJeztah added the process/cherry-pick label Jul 13, 2022

samuelkarp mentioned this pull request Jul 13, 2022

seccomp: seccomp: add syscalls related to PKU in default policy containerd/containerd#7163

Merged

thaJeztah mentioned this pull request Jul 15, 2022

[22.06 backport] profiles: seccomp: add syscalls related to PKU in default policy #43812

Merged

thaJeztah added process/cherry-picked and removed process/cherry-pick labels Jul 15, 2022

Bonjourz mentioned this pull request Jul 18, 2022

[RFC] Use PKU for isolation between LibOS and userspace program occlum/ngo#243

Closed

Bonjourz deleted the 43481_support_pku branch July 22, 2022 06:00

3socha mentioned this pull request Oct 22, 2022

Chromium が実行できない theoremoon/ShellgeiBot-Image#194

Closed

thaJeztah mentioned this pull request Dec 1, 2022

[20.10 backport] seccomp: sync profile with master #44565

Closed

thaJeztah mentioned this pull request Jan 24, 2023

[release/1.6 backport] seccomp updates containerd/containerd#8001

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

seccomp: Support PKU in docker by default#43490

seccomp: Support PKU in docker by default#43490
tianon merged 1 commit intomoby:masterfrom
Bonjourz:43481_support_pku

Bonjourz commented Apr 15, 2022 •

edited

Loading

Uh oh!

tianon commented Apr 19, 2022

Uh oh!

cpuguy83 commented Apr 20, 2022

Uh oh!

Bonjourz commented Apr 21, 2022 •

edited

Loading

Uh oh!

Bonjourz commented Jul 11, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

Bonjourz commented Apr 15, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tianon commented Apr 19, 2022

Uh oh!

cpuguy83 commented Apr 20, 2022

Uh oh!

Bonjourz commented Apr 21, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Bonjourz commented Jul 11, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Bonjourz commented Apr 15, 2022 •

edited

Loading

Bonjourz commented Apr 21, 2022 •

edited

Loading