seccomp: deduplicate default profile

Several syscalls were enabled globally (SCMP_ACT_ALLOW without any conditions for all containers), but also had conditional rules later in the profile (likely inherited from Docker). The following syscalls do not need special casing because they were globally enabled: * clone, unshare, mount, umount, umount2 all had special CAP_SYS_ADMIN restrictions but those don't make sense since they were also enabled for all containers. * reboot was permitted for CAP_SYS_BOOT and all containers. * name_to_handle_at was permitted for CAP_SYS_ADMIN, CAP_SYS_NICE(?), and all containers. And certain syscalls had globally-enabled rules when they shouldn't have: * socket has special rules for CAP_AUDIT_WRITE but it also had a global "allow unconditionally" rule. It turns out that libseccomp will override unconditional rules with conditional ones but this is somewhat of an implementation detail and it's much safer to remove the rule and use the existing cases. Now the only syscalls remaining with complicated rules (meaning they appear more than once in the profile) are: * sync_file_range2 which is architecture specific (though in principle we could move it to enabled-without-rules because runc ignores unknown syscalls). Signed-off-by: Aleksa Sarai <[email protected]>
containers · Jan 27, 2021 · bf297c1 · bf297c1
1 parent 853d0ce
commit bf297c1
Showing 1 changed file with 6 additions and 65 deletions.
diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go
@@ -5,8 +5,6 @@
 package seccomp
 
 import (
-	"syscall"
-
 	"golang.org/x/sys/unix"
 )
 
@@ -45,7 +43,7 @@ func arches() []Architecture {
 
 // DefaultProfile defines the allowlist for the default seccomp profile.
 func DefaultProfile() *Seccomp {
-	einval := uint(syscall.EINVAL)
+	einval := uint(unix.EINVAL)
 
 	syscalls := []*Syscall{
 		{
@@ -331,7 +329,6 @@ func DefaultProfile() *Seccomp {
 				"signalfd",
 				"signalfd4",
 				"sigreturn",
-				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -512,75 +509,20 @@ func DefaultProfile() *Seccomp {
 		{
 			Names: []string{
 				"bpf",
-				"clone",
 				"fanotify_init",
 				"lookup_dcookie",
-				"mount",
-				"name_to_handle_at",
 				"perf_event_open",
 				"quotactl",
 				"setdomainname",
 				"sethostname",
 				"setns",
-				"umount",
-				"umount2",
-				"unshare",
 			},
 			Action: ActAllow,
 			Args:   []*Arg{},
 			Includes: Filter{
 				Caps: []string{"CAP_SYS_ADMIN"},
 			},
 		},
-		{
-			Names: []string{
-				"clone",
-			},
-			Action: ActAllow,
-			Args: []*Arg{
-				{
-					Index:    0,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
-					ValueTwo: 0,
-					Op:       OpMaskedEqual,
-				},
-			},
-			Excludes: Filter{
-				Caps:   []string{"CAP_SYS_ADMIN"},
-				Arches: []string{"s390", "s390x"},
-			},
-		},
-		{
-			Names: []string{
-				"clone",
-			},
-			Action: ActAllow,
-			Args: []*Arg{
-				{
-					Index:    1,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
-					ValueTwo: 0,
-					Op:       OpMaskedEqual,
-				},
-			},
-			Comment: "s390 parameter ordering for clone is different",
-			Includes: Filter{
-				Arches: []string{"s390", "s390x"},
-			},
-			Excludes: Filter{
-				Caps: []string{"CAP_SYS_ADMIN"},
-			},
-		},
-		{
-			Names: []string{
-				"reboot",
-			},
-			Action: ActAllow,
-			Args:   []*Arg{},
-			Includes: Filter{
-				Caps: []string{"CAP_SYS_BOOT"},
-			},
-		},
 		{
 			Names: []string{
 				"chroot",
@@ -608,7 +550,6 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"get_mempolicy",
 				"mbind",
-				"name_to_handle_at",
 				"set_mempolicy",
 			},
 			Action: ActAllow,
@@ -683,12 +624,12 @@ func DefaultProfile() *Seccomp {
 			Args: []*Arg{
 				{
 					Index: 0,
-					Value: syscall.AF_NETLINK,
+					Value: unix.AF_NETLINK,
 					Op:    OpEqualTo,
 				},
 				{
 					Index: 2,
-					Value: syscall.NETLINK_AUDIT,
+					Value: unix.NETLINK_AUDIT,
 					Op:    OpEqualTo,
 				},
 			},
@@ -704,7 +645,7 @@ func DefaultProfile() *Seccomp {
 			Args: []*Arg{
 				{
 					Index: 2,
-					Value: syscall.NETLINK_AUDIT,
+					Value: unix.NETLINK_AUDIT,
 					Op:    OpNotEqual,
 				},
 			},
@@ -720,7 +661,7 @@ func DefaultProfile() *Seccomp {
 			Args: []*Arg{
 				{
 					Index: 0,
-					Value: syscall.AF_NETLINK,
+					Value: unix.AF_NETLINK,
 					Op:    OpNotEqual,
 				},
 			},
@@ -736,7 +677,7 @@ func DefaultProfile() *Seccomp {
 			Args: []*Arg{
 				{
 					Index: 2,
-					Value: syscall.NETLINK_AUDIT,
+					Value: unix.NETLINK_AUDIT,
 					Op:    OpNotEqual,
 				},
 			},