Skip to content

Commit 4818435

Browse files
thaJeztahthaJeztah
authored
Merge pull request moby#29076 from justincormack/seccomp-socket-to-them
Block obsolete and unusual socket families in the default seccomp profile
2 parents 2169723 + 7e3a596 commit 4818435

File tree

6 files changed

+392
-7
lines changed

6 files changed

+392
-7
lines changed

contrib/syscall-test/Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \
1010
&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \
1111
&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \
1212
&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \
13-
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test
13+
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test \
14+
&& gcc -g -Wall -static appletalk.c -o /usr/bin/appletalk-test
1415

1516
RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true

contrib/syscall-test/appletalk.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#include <stdio.h>
2+
#include <sys/socket.h>
3+
4+
int main() {
5+
6+
if (socket(AF_APPLETALK, SOCK_DGRAM, 0) != -1) {
7+
fprintf(stderr, "Opening Appletalk socket worked, should be blocked\n");
8+
return 1;
9+
}
10+
11+
return 0;
12+
}

integration-cli/docker_cli_run_unix_test.go

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -978,7 +978,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
978978
}
979979

980980
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
981-
// deny unhare of a userns exits with operation not permitted.
981+
// deny unshare of a userns exits with operation not permitted.
982982
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
983983
testRequires(c, SameHostDaemon, seccompEnabled, NotArm, Apparmor)
984984
// from sched.h
@@ -1015,6 +1015,18 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
10151015
})
10161016
}
10171017

1018+
// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile
1019+
func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
1020+
testRequires(c, SameHostDaemon, seccompEnabled)
1021+
ensureSyscallTest(c)
1022+
1023+
runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test")
1024+
_, _, err := runCommandWithOutput(runCmd)
1025+
if err != nil {
1026+
c.Fatal("expected opening appletalk socket family to fail")
1027+
}
1028+
}
1029+
10181030
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
10191031
// with a the default seccomp profile exits with operation not permitted.
10201032
func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {

integration-cli/fixtures_linux_daemon_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ func ensureSyscallTest(c *check.C) {
6262
gcc, err := exec.LookPath("gcc")
6363
c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
6464

65-
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
65+
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw", "appletalk"}
6666
for _, test := range tests {
6767
out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
6868
c.Assert(err, checker.IsNil, check.Commentf(string(out)))

profiles/seccomp/default.json

Lines changed: 217 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -312,8 +312,6 @@
312312
"signalfd",
313313
"signalfd4",
314314
"sigreturn",
315-
"socket",
316-
"socketcall",
317315
"socketpair",
318316
"splice",
319317
"stat",
@@ -415,6 +413,223 @@
415413
"includes": {},
416414
"excludes": {}
417415
},
416+
{
417+
"names": [
418+
"socket"
419+
],
420+
"action": "SCMP_ACT_ALLOW",
421+
"args": [
422+
{
423+
"index": 0,
424+
"value": 1,
425+
"valueTwo": 0,
426+
"op": "SCMP_CMP_EQ"
427+
}
428+
],
429+
"comment": "",
430+
"includes": {},
431+
"excludes": {}
432+
},
433+
{
434+
"names": [
435+
"socket"
436+
],
437+
"action": "SCMP_ACT_ALLOW",
438+
"args": [
439+
{
440+
"index": 0,
441+
"value": 2,
442+
"valueTwo": 0,
443+
"op": "SCMP_CMP_EQ"
444+
}
445+
],
446+
"comment": "",
447+
"includes": {},
448+
"excludes": {}
449+
},
450+
{
451+
"names": [
452+
"socket"
453+
],
454+
"action": "SCMP_ACT_ALLOW",
455+
"args": [
456+
{
457+
"index": 0,
458+
"value": 10,
459+
"valueTwo": 0,
460+
"op": "SCMP_CMP_EQ"
461+
}
462+
],
463+
"comment": "",
464+
"includes": {},
465+
"excludes": {}
466+
},
467+
{
468+
"names": [
469+
"socket"
470+
],
471+
"action": "SCMP_ACT_ALLOW",
472+
"args": [
473+
{
474+
"index": 0,
475+
"value": 16,
476+
"valueTwo": 0,
477+
"op": "SCMP_CMP_EQ"
478+
}
479+
],
480+
"comment": "",
481+
"includes": {},
482+
"excludes": {}
483+
},
484+
{
485+
"names": [
486+
"socket"
487+
],
488+
"action": "SCMP_ACT_ALLOW",
489+
"args": [
490+
{
491+
"index": 0,
492+
"value": 17,
493+
"valueTwo": 0,
494+
"op": "SCMP_CMP_EQ"
495+
}
496+
],
497+
"comment": "",
498+
"includes": {},
499+
"excludes": {}
500+
},
501+
{
502+
"names": [
503+
"socketcall"
504+
],
505+
"action": "SCMP_ACT_ALLOW",
506+
"args": [
507+
{
508+
"index": 0,
509+
"value": 1,
510+
"valueTwo": 0,
511+
"op": "SCMP_CMP_GT"
512+
}
513+
],
514+
"comment": "",
515+
"includes": {},
516+
"excludes": {}
517+
},
518+
{
519+
"names": [
520+
"socketcall"
521+
],
522+
"action": "SCMP_ACT_ALLOW",
523+
"args": [
524+
{
525+
"index": 0,
526+
"value": 1,
527+
"valueTwo": 0,
528+
"op": "SCMP_CMP_EQ"
529+
},
530+
{
531+
"index": 1,
532+
"value": 1,
533+
"valueTwo": 0,
534+
"op": "SCMP_CMP_EQ"
535+
}
536+
],
537+
"comment": "",
538+
"includes": {},
539+
"excludes": {}
540+
},
541+
{
542+
"names": [
543+
"socketcall"
544+
],
545+
"action": "SCMP_ACT_ALLOW",
546+
"args": [
547+
{
548+
"index": 0,
549+
"value": 1,
550+
"valueTwo": 0,
551+
"op": "SCMP_CMP_EQ"
552+
},
553+
{
554+
"index": 1,
555+
"value": 2,
556+
"valueTwo": 0,
557+
"op": "SCMP_CMP_EQ"
558+
}
559+
],
560+
"comment": "",
561+
"includes": {},
562+
"excludes": {}
563+
},
564+
{
565+
"names": [
566+
"socketcall"
567+
],
568+
"action": "SCMP_ACT_ALLOW",
569+
"args": [
570+
{
571+
"index": 0,
572+
"value": 1,
573+
"valueTwo": 0,
574+
"op": "SCMP_CMP_EQ"
575+
},
576+
{
577+
"index": 1,
578+
"value": 10,
579+
"valueTwo": 0,
580+
"op": "SCMP_CMP_EQ"
581+
}
582+
],
583+
"comment": "",
584+
"includes": {},
585+
"excludes": {}
586+
},
587+
{
588+
"names": [
589+
"socketcall"
590+
],
591+
"action": "SCMP_ACT_ALLOW",
592+
"args": [
593+
{
594+
"index": 0,
595+
"value": 1,
596+
"valueTwo": 0,
597+
"op": "SCMP_CMP_EQ"
598+
},
599+
{
600+
"index": 1,
601+
"value": 16,
602+
"valueTwo": 0,
603+
"op": "SCMP_CMP_EQ"
604+
}
605+
],
606+
"comment": "",
607+
"includes": {},
608+
"excludes": {}
609+
},
610+
{
611+
"names": [
612+
"socketcall"
613+
],
614+
"action": "SCMP_ACT_ALLOW",
615+
"args": [
616+
{
617+
"index": 0,
618+
"value": 1,
619+
"valueTwo": 0,
620+
"op": "SCMP_CMP_EQ"
621+
},
622+
{
623+
"index": 1,
624+
"value": 17,
625+
"valueTwo": 0,
626+
"op": "SCMP_CMP_EQ"
627+
}
628+
],
629+
"comment": "",
630+
"includes": {},
631+
"excludes": {}
632+
},
418633
{
419634
"names": [
420635
"breakpoint",

0 commit comments

Comments
 (0)