add missing equivalents of already allowed syscalls for 32-bit platforms
with 64-bit time for countering Y2038
Fixes#593
Signed-off-by: Jan Palus <jpalus@fastmail.com>
In order to run containers within containers via podman
and do a podman exec, we need to allow setns syscalls.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This mirrors the Docker and containerd changes, with the caveat that
because mount(2) is permitted under podman for all containers we
therefore add all of the v2 mount API syscalls as available to all
containers.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Several syscalls were enabled globally (SCMP_ACT_ALLOW without any
conditions for all containers), but also had conditional rules later in
the profile (likely inherited from Docker). The following syscalls do
not need special casing because they were globally enabled:
* clone, unshare, mount, umount, umount2 all had special CAP_SYS_ADMIN
restrictions but those don't make sense since they were also enabled
for all containers.
* reboot was permitted for CAP_SYS_BOOT and all containers.
* name_to_handle_at was permitted for CAP_SYS_ADMIN, CAP_SYS_NICE(?),
and all containers.
And certain syscalls had globally-enabled rules when they shouldn't
have:
* socket has special rules for CAP_AUDIT_WRITE but it also had a global
"allow unconditionally" rule. It turns out that libseccomp will
override unconditional rules with conditional ones but this is
somewhat of an implementation detail and it's much safer to remove
the rule and use the existing cases.
Now the only syscalls remaining with complicated rules (meaning they
appear more than once in the profile) are:
* sync_file_range2 which is architecture specific (though in principle
we could move it to enabled-without-rules because runc ignores
unknown syscalls).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Since secrets is shared by buildah, podman and cri-o, we need
to move it to containers/common.
Also move containers-mounts.conf.5.md to common from podman,
since this is common to all packages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
12 new syscalls have been added for handling 64 bit time.
These syscalls are breaking containers on newer kernels.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This syscall is proposed for the kernel but does not exists yet. Having it in
the default syscall table is causing crun to print warning messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
faccessat2, openat2, fchmodat2 are all new syscalls to help eliminate
race conditions, current containers get the older versions of these syscalls
so adding them by default makes sense.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add the following default syscalls:
"clock_adjtime" -- Already allow adjtimex
"clone" -- Needed so we can use a usernamespace within a container.
Since this is allowed for non root users, it should be safe
to use, and can allow us to support containers/user namespaces
within locked down containers.
"pivot_root" -- Can be used by containers within containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Giuseppe Scrivano