seccomp: explicitly block new (already blocked) syscalls

The following syscalls have been added in recent kernels and considered for this list: - cachestat, prints information about cache misses; it is less accurate than userfaultfd so probably safe but deny it until a clear need shows up - io_pgetevents_time64: io_pgetevents is already blocked, so block this variant as well. Note these are pretty close to io_getenvents, so we should probably block that as well, but since it is currently allowed keep that where it is. - map_shadow_stack: this allows creating a new shadow stack, required for user-space threading if shadow stack verification is enabled (prctl PR_SET_SHADOW_STACK_STATUS with PR_SHADOW_STACK_ENABLE); this might be required in the future but delay this decision until someone requests it - futex_* new interface is primarily intended for io_uring which we disallow, and does not have any known user yet so likewise block until someone requests it. - quotactl_fd: this is identical to quotactl, so only allow for SYS_ADMIN like quotactl. Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
2024-06-04 11:26:03 +09:00 · 2024-06-04 11:26:03 +09:00 · f9fb2eba22
parent dbf22d13ae
commit f9fb2eba22
2 changed files with 18 additions and 0 deletions
--- a/common/pkg/seccomp/default_linux.go
+++ b/common/pkg/seccomp/default_linux.go
@ -51,9 +51,16 @@ func DefaultProfile() *Seccomp {
 		{
 			Names: []string{
 				"bdflush",
+				"cachestat",
+				"futex_requeue",
+				"futex_wait",
+				"futex_waitv",
+				"futex_wake",
 				"io_pgetevents",
+				"io_pgetevents_time64",
 				"kexec_file_load",
 				"kexec_load",
+				"map_shadow_stack",
 				"migrate_pages",
 				"move_pages",
 				"nfsservctl",
@ -602,6 +609,7 @@ func DefaultProfile() *Seccomp {
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
+				"quotactl_fd",
 				"setdomainname",
 				"sethostname",
 				"setns",
@ -619,6 +627,7 @@ func DefaultProfile() *Seccomp {
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
+				"quotactl_fd",
 				"setdomainname",
 				"sethostname",
 				"setns",
--- a/common/pkg/seccomp/seccomp.json
+++ b/common/pkg/seccomp/seccomp.json
@ -55,9 +55,16 @@
 		{
 			"names": [
 				"bdflush",
+				"cachestat",
+				"futex_requeue",
+				"futex_wait",
+				"futex_waitv",
+				"futex_wake",
 				"io_pgetevents",
+				"io_pgetevents_time64",
 				"kexec_file_load",
 				"kexec_load",
+				"map_shadow_stack",
 				"migrate_pages",
 				"move_pages",
 				"nfsservctl",
@ -675,6 +682,7 @@
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
+				"quotactl_fd",
 				"setdomainname",
 				"sethostname",
 				"setns"
@ -696,6 +704,7 @@
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
+				"quotactl_fd",
 				"setdomainname",
 				"sethostname",
 				"setns"