From 5c0c1eed40140aacb67f53f8682bcc672929967c Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 17 Oct 2019 09:59:47 +0100 Subject: [PATCH 1/5] Remove ptrace from blocked syscalls Update documentation to reflect that ptrace is no longer blocked on the default profile. More information: https://github.com/moby/moby/commit/1124543ca8071074a537a15db251af46a5189907#diff-0ebf5796a57d68894d5550c407061035 --- engine/security/seccomp.md | 1 - 1 file changed, 1 deletion(-) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index c001f28c7a..f552c12ebd 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -94,7 +94,6 @@ the reason each syscall is blocked rather than white-listed. | `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | -| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. | | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | | `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | | `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | From 2adcf3bd6671c60a4c7bb392a7032ab354a6335a Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 29 Oct 2019 14:51:22 +0000 Subject: [PATCH 2/5] Add minKernel details for ptrace Changes brought up by commit: https://github.com/moby/moby/commit/1124543ca8071074a537a15db251af46a5189907#diff-0ebf5796a57d68894d5550c407061035 --- engine/security/seccomp.md | 1 + 1 file changed, 1 insertion(+) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index f552c12ebd..21ec4d36c2 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -94,6 +94,7 @@ the reason each syscall is blocked rather than white-listed. | `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | +| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in kernel versions before 4.8, as it provides a way to bypass seccomp policies. | | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | | `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | | `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | From 432b7c4134a44e432d57d0b1d72f11d2f09591eb Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 28 Nov 2019 09:06:03 +0000 Subject: [PATCH 3/5] Improve clarity. --- engine/security/seccomp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index 21ec4d36c2..6d520ae37e 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -94,7 +94,7 @@ the reason each syscall is blocked rather than white-listed. | `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | -| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in kernel versions before 4.8, as it provides a way to bypass seccomp policies. | +| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to mitigate CVE-2019-2054. | | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | | `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | | `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | From 1962410b61c1ea0c70dfe0e98886df4907171579 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 28 Nov 2019 12:30:44 +0000 Subject: [PATCH 4/5] Corrections based on feedback --- engine/security/seccomp.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index 6d520ae37e..916d51f970 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -94,7 +94,8 @@ the reason each syscall is blocked rather than white-listed. | `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | -| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to mitigate CVE-2019-2054. | +| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to avoid seccomp bypass. +| | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | | `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | | `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | From 9c2520fa27063cfd243ed40f70e5a89ad54f2efb Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 28 Nov 2019 12:33:15 +0000 Subject: [PATCH 5/5] Fix table --- engine/security/seccomp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index 916d51f970..8aa98a0f0a 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -94,8 +94,7 @@ the reason each syscall is blocked rather than white-listed. | `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | -| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to avoid seccomp bypass. -| +| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to avoid seccomp bypass. | | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | | `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | | `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. |