Skip to content

Commit 74e1d6c

Browse files
justincormackjustincormack
committed
Block obsolete socket families in the default seccomp profile
Linux supports many obsolete address families, which are usually available in common distro kernels, but they are less likely to be properly audited and may have security issues This blocks all socket families in the socket (and socketcall where applicable) syscall except - AF_UNIX - Unix domain sockets - AF_INET - IPv4 - AF_INET6 - IPv6 - AF_NETLINK - Netlink sockets for communicating with the ekrnel - AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW All other socket families are blocked, including Appletalk (native, not over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally be used in containers, etc. Note that users can of course provide a profile per container or in the daemon config if they have unusual use cases that require these. Signed-off-by: Justin Cormack <[email protected]>
1 parent 2975aae commit 74e1d6c

2 files changed

Lines changed: 364 additions & 4 deletions

File tree

seccomp/default.json

Lines changed: 217 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -312,8 +312,6 @@
312312
"signalfd",
313313
"signalfd4",
314314
"sigreturn",
315-
"socket",
316-
"socketcall",
317315
"socketpair",
318316
"splice",
319317
"stat",
@@ -415,6 +413,223 @@
415413
"includes": {},
416414
"excludes": {}
417415
},
416+
{
417+
"names": [
418+
"socket"
419+
],
420+
"action": "SCMP_ACT_ALLOW",
421+
"args": [
422+
{
423+
"index": 0,
424+
"value": 1,
425+
"valueTwo": 0,
426+
"op": "SCMP_CMP_EQ"
427+
}
428+
],
429+
"comment": "",
430+
"includes": {},
431+
"excludes": {}
432+
},
433+
{
434+
"names": [
435+
"socket"
436+
],
437+
"action": "SCMP_ACT_ALLOW",
438+
"args": [
439+
{
440+
"index": 0,
441+
"value": 2,
442+
"valueTwo": 0,
443+
"op": "SCMP_CMP_EQ"
444+
}
445+
],
446+
"comment": "",
447+
"includes": {},
448+
"excludes": {}
449+
},
450+
{
451+
"names": [
452+
"socket"
453+
],
454+
"action": "SCMP_ACT_ALLOW",
455+
"args": [
456+
{
457+
"index": 0,
458+
"value": 10,
459+
"valueTwo": 0,
460+
"op": "SCMP_CMP_EQ"
461+
}
462+
],
463+
"comment": "",
464+
"includes": {},
465+
"excludes": {}
466+
},
467+
{
468+
"names": [
469+
"socket"
470+
],
471+
"action": "SCMP_ACT_ALLOW",
472+
"args": [
473+
{
474+
"index": 0,
475+
"value": 16,
476+
"valueTwo": 0,
477+
"op": "SCMP_CMP_EQ"
478+
}
479+
],
480+
"comment": "",
481+
"includes": {},
482+
"excludes": {}
483+
},
484+
{
485+
"names": [
486+
"socket"
487+
],
488+
"action": "SCMP_ACT_ALLOW",
489+
"args": [
490+
{
491+
"index": 0,
492+
"value": 17,
493+
"valueTwo": 0,
494+
"op": "SCMP_CMP_EQ"
495+
}
496+
],
497+
"comment": "",
498+
"includes": {},
499+
"excludes": {}
500+
},
501+
{
502+
"names": [
503+
"socketcall"
504+
],
505+
"action": "SCMP_ACT_ALLOW",
506+
"args": [
507+
{
508+
"index": 0,
509+
"value": 1,
510+
"valueTwo": 0,
511+
"op": "SCMP_CMP_GT"
512+
}
513+
],
514+
"comment": "",
515+
"includes": {},
516+
"excludes": {}
517+
},
518+
{
519+
"names": [
520+
"socketcall"
521+
],
522+
"action": "SCMP_ACT_ALLOW",
523+
"args": [
524+
{
525+
"index": 0,
526+
"value": 1,
527+
"valueTwo": 0,
528+
"op": "SCMP_CMP_EQ"
529+
},
530+
{
531+
"index": 1,
532+
"value": 1,
533+
"valueTwo": 0,
534+
"op": "SCMP_CMP_EQ"
535+
}
536+
],
537+
"comment": "",
538+
"includes": {},
539+
"excludes": {}
540+
},
541+
{
542+
"names": [
543+
"socketcall"
544+
],
545+
"action": "SCMP_ACT_ALLOW",
546+
"args": [
547+
{
548+
"index": 0,
549+
"value": 1,
550+
"valueTwo": 0,
551+
"op": "SCMP_CMP_EQ"
552+
},
553+
{
554+
"index": 1,
555+
"value": 2,
556+
"valueTwo": 0,
557+
"op": "SCMP_CMP_EQ"
558+
}
559+
],
560+
"comment": "",
561+
"includes": {},
562+
"excludes": {}
563+
},
564+
{
565+
"names": [
566+
"socketcall"
567+
],
568+
"action": "SCMP_ACT_ALLOW",
569+
"args": [
570+
{
571+
"index": 0,
572+
"value": 1,
573+
"valueTwo": 0,
574+
"op": "SCMP_CMP_EQ"
575+
},
576+
{
577+
"index": 1,
578+
"value": 10,
579+
"valueTwo": 0,
580+
"op": "SCMP_CMP_EQ"
581+
}
582+
],
583+
"comment": "",
584+
"includes": {},
585+
"excludes": {}
586+
},
587+
{
588+
"names": [
589+
"socketcall"
590+
],
591+
"action": "SCMP_ACT_ALLOW",
592+
"args": [
593+
{
594+
"index": 0,
595+
"value": 1,
596+
"valueTwo": 0,
597+
"op": "SCMP_CMP_EQ"
598+
},
599+
{
600+
"index": 1,
601+
"value": 16,
602+
"valueTwo": 0,
603+
"op": "SCMP_CMP_EQ"
604+
}
605+
],
606+
"comment": "",
607+
"includes": {},
608+
"excludes": {}
609+
},
610+
{
611+
"names": [
612+
"socketcall"
613+
],
614+
"action": "SCMP_ACT_ALLOW",
615+
"args": [
616+
{
617+
"index": 0,
618+
"value": 1,
619+
"valueTwo": 0,
620+
"op": "SCMP_CMP_EQ"
621+
},
622+
{
623+
"index": 1,
624+
"value": 17,
625+
"valueTwo": 0,
626+
"op": "SCMP_CMP_EQ"
627+
}
628+
],
629+
"comment": "",
630+
"includes": {},
631+
"excludes": {}
632+
},
418633
{
419634
"names": [
420635
"breakpoint",

seccomp/seccomp_default.go

Lines changed: 147 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -306,8 +306,6 @@ func DefaultProfile() *types.Seccomp {
306306
"signalfd",
307307
"signalfd4",
308308
"sigreturn",
309-
"socket",
310-
"socketcall",
311309
"socketpair",
312310
"splice",
313311
"stat",
@@ -388,6 +386,153 @@ func DefaultProfile() *types.Seccomp {
388386
},
389387
},
390388
},
389+
{
390+
Names: []string{"socket"},
391+
Action: types.ActAllow,
392+
Args: []*types.Arg{
393+
{
394+
Index: 0,
395+
Value: syscall.AF_UNIX,
396+
Op: types.OpEqualTo,
397+
},
398+
},
399+
},
400+
{
401+
Names: []string{"socket"},
402+
Action: types.ActAllow,
403+
Args: []*types.Arg{
404+
{
405+
Index: 0,
406+
Value: syscall.AF_INET,
407+
Op: types.OpEqualTo,
408+
},
409+
},
410+
},
411+
{
412+
Names: []string{"socket"},
413+
Action: types.ActAllow,
414+
Args: []*types.Arg{
415+
{
416+
Index: 0,
417+
Value: syscall.AF_INET6,
418+
Op: types.OpEqualTo,
419+
},
420+
},
421+
},
422+
{
423+
Names: []string{"socket"},
424+
Action: types.ActAllow,
425+
Args: []*types.Arg{
426+
{
427+
Index: 0,
428+
Value: syscall.AF_NETLINK,
429+
Op: types.OpEqualTo,
430+
},
431+
},
432+
},
433+
{
434+
Names: []string{"socket"},
435+
Action: types.ActAllow,
436+
Args: []*types.Arg{
437+
{
438+
Index: 0,
439+
Value: syscall.AF_PACKET,
440+
Op: types.OpEqualTo,
441+
},
442+
},
443+
},
444+
// socketcall(1, ...) is equivalent to socket(...) on some architectures eg i386
445+
{
446+
Names: []string{"socketcall"},
447+
Action: types.ActAllow,
448+
Args: []*types.Arg{
449+
{
450+
Index: 0,
451+
Value: 1,
452+
Op: types.OpGreaterThan,
453+
},
454+
},
455+
},
456+
{
457+
Names: []string{"socketcall"},
458+
Action: types.ActAllow,
459+
Args: []*types.Arg{
460+
{
461+
Index: 0,
462+
Value: 1,
463+
Op: types.OpEqualTo,
464+
},
465+
{
466+
Index: 1,
467+
Value: syscall.AF_UNIX,
468+
Op: types.OpEqualTo,
469+
},
470+
},
471+
},
472+
{
473+
Names: []string{"socketcall"},
474+
Action: types.ActAllow,
475+
Args: []*types.Arg{
476+
{
477+
Index: 0,
478+
Value: 1,
479+
Op: types.OpEqualTo,
480+
},
481+
{
482+
Index: 1,
483+
Value: syscall.AF_INET,
484+
Op: types.OpEqualTo,
485+
},
486+
},
487+
},
488+
{
489+
Names: []string{"socketcall"},
490+
Action: types.ActAllow,
491+
Args: []*types.Arg{
492+
{
493+
Index: 0,
494+
Value: 1,
495+
Op: types.OpEqualTo,
496+
},
497+
{
498+
Index: 1,
499+
Value: syscall.AF_INET6,
500+
Op: types.OpEqualTo,
501+
},
502+
},
503+
},
504+
{
505+
Names: []string{"socketcall"},
506+
Action: types.ActAllow,
507+
Args: []*types.Arg{
508+
{
509+
Index: 0,
510+
Value: 1,
511+
Op: types.OpEqualTo,
512+
},
513+
{
514+
Index: 1,
515+
Value: syscall.AF_NETLINK,
516+
Op: types.OpEqualTo,
517+
},
518+
},
519+
},
520+
{
521+
Names: []string{"socketcall"},
522+
Action: types.ActAllow,
523+
Args: []*types.Arg{
524+
{
525+
Index: 0,
526+
Value: 1,
527+
Op: types.OpEqualTo,
528+
},
529+
{
530+
Index: 1,
531+
Value: syscall.AF_PACKET,
532+
Op: types.OpEqualTo,
533+
},
534+
},
535+
},
391536
{
392537
Names: []string{
393538
"breakpoint",

0 commit comments

Comments
 (0)