syscall() emulates all other syscalls, so having this allowed makes no
sense as far as seccomp filters go.
This is a breaking change, but this probably will not break much.
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
This doesn't deny anything new (perf_event_open is currently allowed for
SYS_ADMIN)
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
the readdir syscall hasn't existed forever (wasn't present in linux
2.6.12 initial import into git), remove it and don't even bother adding
it to the list of EPERM syscalls
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
The following syscalls have been added in recent kernels and considered
for this list:
- cachestat, prints information about cache misses; it is less accurate
than userfaultfd so probably safe but deny it until a clear need
shows up
- io_pgetevents_time64: io_pgetevents is already blocked, so block this
variant as well. Note these are pretty close to io_getenvents, so we
should probably block that as well, but since it is currently allowed
keep that where it is.
- map_shadow_stack: this allows creating a new shadow stack, required for
user-space threading if shadow stack verification is enabled (prctl
PR_SET_SHADOW_STACK_STATUS with PR_SHADOW_STACK_ENABLE); this might
be required in the future but delay this decision until someone
requests it
- futex_* new interface is primarily intended for io_uring which we
disallow, and does not have any known user yet so likewise block
until someone requests it.
- quotactl_fd: this is identical to quotactl, so only allow for
SYS_ADMIN like quotactl.
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
timerfd as a syscall does not seem to have ever existed,
remove it from allowed syscalls list.
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
These have been replaced by the rt_sigaction family, and have not been
compiled in on most kernels since linux v3.9 (2013)
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Landlock is a Linux feature that enables creating security sandboxes
(see https://docs.kernel.org/userspace-api/landlock.html). Allow the
three related system calls (available since Linux 5.13):
landlock_create_ruleset, landlock_add_rule, and landlock_restrict_self.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
switch c/common to use runc cgroup creation so that we can use resource limits
This entails importing the newly refactored runc code to manage reading from and writing to cgroup.
vendoring in directly an unreleased runc commit from opencontainers/runc#3452
Signed-off-by: cdoern <cdoern@redhat.com>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We manually checked the syscalls from this list and compared it to our
supported ones:
https://github.com/seccomp/libseccomp/blob/main/src/syscalls.csv
This patch adds a bunch of new safe syscalls to be allowed, namely:
membarrier, mount_setattr, process_mrelease, sigaction, signal,
sigpending, sigprocmask, sigsuspend, syscall and timerfd.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
We have to copy both fields in the same way we did with the flags to
support them in container runtimes.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
simplify maintainance of the seccomp.json file and accept errno as
strings.
It also fixes a portability problem since errno values are arch
dependent.
The existing `DefaultErrnoRet` and `ErrnoRet` are maintained for
backward compatibility but they are obsoleted and will be removed in a
future release.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This prevents
"defaultErrnoRet": null,
from appearing in seccomp.json.
This member is similar to ErrnoRet in type Syscall,
and should also be marked with omitempty.
Fixes: c662eb936b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Add support to specify the default errno return value.
The OCI runtime specs already have support for it, and both crun (>=
0.19) and runc (>= 1.0-rc95) have support for it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
add missing equivalents of already allowed syscalls for 32-bit platforms
with 64-bit time for countering Y2038
Fixes#593
Signed-off-by: Jan Palus <jpalus@fastmail.com>
In order to run containers within containers via podman
and do a podman exec, we need to allow setns syscalls.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It does not make sense to check if seccomp is supported by the kernel
more than once per runtime, so let's use sync.Once to speed it up.
A quick benchmark:
BenchmarkIsSupported-4 1252161 947 ns/op
BenchmarkIsSupportedOnce-4 666274008 2.14 ns/op
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Current implementation of seccomp.IsSupported (rooted in runc) is not
very good.
First, it parses the whole /proc/self/status, adding each key: value
pair into the map (lots of allocations and future work for garbage
collector), when using a single key from that map.
Second, the presence of "Seccomp" key in /proc/self/status merely means
that kernel option CONFIG_SECCOMP is set, but there is a need to _also_
check for CONFIG_SECCOMP_FILTER (the code for which exists but never
executed in case /proc/self/status has Seccomp key).
Replace all this with a single call to prctl; see the long comment in
the code for details.
NOTE historically, parsing /proc/self/status was added after a concern
was raised in https://github.com/opencontainers/runc/pull/471 that
prctl(PR_GET_SECCOMP, ...) can result in the calling process being
killed with SIGKILL. This is a valid concern, so the new code here
does not use PR_GET_SECCOMP at all.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This mirrors the Docker and containerd changes, with the caveat that
because mount(2) is permitted under podman for all containers we
therefore add all of the v2 mount API syscalls as available to all
containers.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The generate.go script used to fill the default seccomp profile file is
quite important as otherwise distributions will end up having outdated
seccomp filters even after a podman update.
This script comes from the Docker repo.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Several syscalls were enabled globally (SCMP_ACT_ALLOW without any
conditions for all containers), but also had conditional rules later in
the profile (likely inherited from Docker). The following syscalls do
not need special casing because they were globally enabled:
* clone, unshare, mount, umount, umount2 all had special CAP_SYS_ADMIN
restrictions but those don't make sense since they were also enabled
for all containers.
* reboot was permitted for CAP_SYS_BOOT and all containers.
* name_to_handle_at was permitted for CAP_SYS_ADMIN, CAP_SYS_NICE(?),
and all containers.
And certain syscalls had globally-enabled rules when they shouldn't
have:
* socket has special rules for CAP_AUDIT_WRITE but it also had a global
"allow unconditionally" rule. It turns out that libseccomp will
override unconditional rules with conditional ones but this is
somewhat of an implementation detail and it's much safer to remove
the rule and use the existing cases.
Now the only syscalls remaining with complicated rules (meaning they
appear more than once in the profile) are:
* sync_file_range2 which is architecture specific (though in principle
we could move it to enabled-without-rules because runc ignores
unknown syscalls).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Currently this code is not building correctly on darwin builds.
This PR handles non linux platforms correctly.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Giuseppe Scrivano