Skip to content

seccomp v0.2.2

Choose a tag to compare

View all tags
@vvoland vvoland released this 01 May 00:14
seccomp/v0.2.2
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
d62da27
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

  • Explicitly block socketcall to prevent AF_ALG filter bypass (#21)

    The socket arg filters only apply to the direct socket(2) syscall. On
    architectures with the legacy socketcall(2) multiplexer (i386 compat on
    amd64, s390 compat on s390x, MIPS o32 compat on MIPS64), libseccomp
    auto-generates a socketcall(SYS_SOCKET) -> ALLOW companion for each socket
    ALLOW rule. This companion only checks the socketcall sub-command number, not
    the address family (behind a pointer BPF cannot dereference), bypassing the
    AF_ALG block for 32-bit binaries.

    An explicit socketcall -> ERRNO(ENOSYS) deny rule is now placed before the
    socket allow rules. ENOSYS must be used instead of EPERM because the deny
    errno must differ from DefaultErrnoRet (EPERM): runc skips calling
    seccomp_rule_add() entirely when a rule's action matches the default action,
    so an EPERM deny is never passed to libseccomp and the auto-generated
    socketcall ALLOW path survives unchallenged. With ENOSYS, runc passes the
    rule through and libseccomp replaces the auto-generated ALLOW path with
    ERRNO(ENOSYS) in the BPF.

    Since Linux 4.3, all affected architectures provide direct socket syscalls and
    modern glibc/musl already use them. Only very old statically-linked 32-bit
    binaries compiled against pre-4.3 glibc would be affected.

Full Changelog: seccomp/v0.2.1...seccomp/v0.2.2

Assets 2
Loading