Fix seccomp profile for clone syscall

thaJeztah · thaJeztah · commit a1ec8551ab48 · 2019-06-04T15:28:12.000+02:00
All clone flags for namespace should be denied.

Based-on-patch-by: Kenta Tada &lt;Kenta.Tada@sony.com&gt;
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -596,7 +596,7 @@
 			"args": [
 				{
 					"index": 0,
-					"value": 2080505856,
+					"value": 2114060288,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
@@ -621,7 +621,7 @@
 			"args": [
 				{
 					"index": 1,
-					"value": 2080505856,
+					"value": 2114060288,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json
@@ -7,7 +7,7 @@
             "args": [
                 {
                     "index": 0,
-                    "value": 2080505856,
+                    "value": 2114060288,
                     "valueTwo": 0,
                     "op": "SCMP_CMP_MASKED_EQ"
                 }
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
@@ -518,7 +518,7 @@ func DefaultProfile() *types.Seccomp {
 			Args: []*types.Arg{
 				{
 					Index:    0,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
 					Op:       types.OpMaskedEqual,
 				},
@@ -536,7 +536,7 @@ func DefaultProfile() *types.Seccomp {
 			Args: []*types.Arg{
 				{
 					Index:    1,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
 					Op:       types.OpMaskedEqual,
 				},

Original file line number	Diff line number	Diff line change
`@@ -596,7 +596,7 @@`
`596`	`596`	`"args": [`
`597`	`597`	`{`
`598`	`598`	`"index": 0,`
`599`		`- "value": 2080505856,`
	`599`	`+ "value": 2114060288,`
`600`	`600`	`"valueTwo": 0,`
`601`	`601`	`"op": "SCMP_CMP_MASKED_EQ"`
`602`	`602`	`}`
`@@ -621,7 +621,7 @@`
`621`	`621`	`"args": [`
`622`	`622`	`{`
`623`	`623`	`"index": 1,`
`624`		`- "value": 2080505856,`
	`624`	`+ "value": 2114060288,`
`625`	`625`	`"valueTwo": 0,`
`626`	`626`	`"op": "SCMP_CMP_MASKED_EQ"`
`627`	`627`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"args": [`
`8`	`8`	`{`
`9`	`9`	`"index": 0,`
`10`		`- "value": 2080505856,`
	`10`	`+ "value": 2114060288,`
`11`	`11`	`"valueTwo": 0,`
`12`	`12`	`"op": "SCMP_CMP_MASKED_EQ"`
`13`	`13`	`}`