Skip to content

Commit dcf2632

Browse files
justincormackjustincormack
committed
Revert "Block obsolete socket families in the default seccomp profile"
This reverts commit 7e3a596. Unfortunately, it was pointed out in moby#29076 (comment) that the `socketcall` syscall takes a pointer to a struct so it is not possible to use seccomp profiles to filter it. This means these cannot be blocked as you can use `socketcall` to call them regardless, as we currently allow 32 bit syscalls. Users who wish to block these should use a seccomp profile that blocks all 32 bit syscalls and then just block the non socketcall versions. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
1 parent 85a7f4b commit dcf2632

File tree

6 files changed

+6
-391
lines changed

6 files changed

+6
-391
lines changed

contrib/syscall-test/Dockerfile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \
1010
&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \
1111
&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \
1212
&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \
13-
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test \
14-
&& gcc -g -Wall -static appletalk.c -o /usr/bin/appletalk-test
13+
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test
1514

1615
RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true

contrib/syscall-test/appletalk.c

Lines changed: 0 additions & 12 deletions
This file was deleted.

integration-cli/docker_cli_run_unix_test.go

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1015,18 +1015,6 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
10151015
})
10161016
}
10171017

1018-
// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile
1019-
func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
1020-
testRequires(c, SameHostDaemon, seccompEnabled)
1021-
ensureSyscallTest(c)
1022-
1023-
runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test")
1024-
_, _, err := runCommandWithOutput(runCmd)
1025-
if err != nil {
1026-
c.Fatal("expected opening appletalk socket family to fail")
1027-
}
1028-
}
1029-
10301018
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
10311019
// with a the default seccomp profile exits with operation not permitted.
10321020
func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {

integration-cli/fixtures_linux_daemon_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ func ensureSyscallTest(c *check.C) {
6060
gcc, err := exec.LookPath("gcc")
6161
c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
6262

63-
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw", "appletalk"}
63+
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
6464
for _, test := range tests {
6565
out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
6666
c.Assert(err, checker.IsNil, check.Commentf(string(out)))

profiles/seccomp/default.json

Lines changed: 2 additions & 217 deletions
Original file line numberDiff line numberDiff line change
@@ -314,6 +314,8 @@
314314
"signalfd",
315315
"signalfd4",
316316
"sigreturn",
317+
"socket",
318+
"socketcall",
317319
"socketpair",
318320
"splice",
319321
"stat",
@@ -449,223 +451,6 @@
449451
"includes": {},
450452
"excludes": {}
451453
},
452-
{
453-
"names": [
454-
"socket"
455-
],
456-
"action": "SCMP_ACT_ALLOW",
457-
"args": [
458-
{
459-
"index": 0,
460-
"value": 1,
461-
"valueTwo": 0,
462-
"op": "SCMP_CMP_EQ"
463-
}
464-
],
465-
"comment": "",
466-
"includes": {},
467-
"excludes": {}
468-
},
469-
{
470-
"names": [
471-
"socket"
472-
],
473-
"action": "SCMP_ACT_ALLOW",
474-
"args": [
475-
{
476-
"index": 0,
477-
"value": 2,
478-
"valueTwo": 0,
479-
"op": "SCMP_CMP_EQ"
480-
}
481-
],
482-
"comment": "",
483-
"includes": {},
484-
"excludes": {}
485-
},
486-
{
487-
"names": [
488-
"socket"
489-
],
490-
"action": "SCMP_ACT_ALLOW",
491-
"args": [
492-
{
493-
"index": 0,
494-
"value": 10,
495-
"valueTwo": 0,
496-
"op": "SCMP_CMP_EQ"
497-
}
498-
],
499-
"comment": "",
500-
"includes": {},
501-
"excludes": {}
502-
},
503-
{
504-
"names": [
505-
"socket"
506-
],
507-
"action": "SCMP_ACT_ALLOW",
508-
"args": [
509-
{
510-
"index": 0,
511-
"value": 16,
512-
"valueTwo": 0,
513-
"op": "SCMP_CMP_EQ"
514-
}
515-
],
516-
"comment": "",
517-
"includes": {},
518-
"excludes": {}
519-
},
520-
{
521-
"names": [
522-
"socket"
523-
],
524-
"action": "SCMP_ACT_ALLOW",
525-
"args": [
526-
{
527-
"index": 0,
528-
"value": 17,
529-
"valueTwo": 0,
530-
"op": "SCMP_CMP_EQ"
531-
}
532-
],
533-
"comment": "",
534-
"includes": {},
535-
"excludes": {}
536-
},
537-
{
538-
"names": [
539-
"socketcall"
540-
],
541-
"action": "SCMP_ACT_ALLOW",
542-
"args": [
543-
{
544-
"index": 0,
545-
"value": 1,
546-
"valueTwo": 0,
547-
"op": "SCMP_CMP_GT"
548-
}
549-
],
550-
"comment": "",
551-
"includes": {},
552-
"excludes": {}
553-
},
554-
{
555-
"names": [
556-
"socketcall"
557-
],
558-
"action": "SCMP_ACT_ALLOW",
559-
"args": [
560-
{
561-
"index": 0,
562-
"value": 1,
563-
"valueTwo": 0,
564-
"op": "SCMP_CMP_EQ"
565-
},
566-
{
567-
"index": 1,
568-
"value": 1,
569-
"valueTwo": 0,
570-
"op": "SCMP_CMP_EQ"
571-
}
572-
],
573-
"comment": "",
574-
"includes": {},
575-
"excludes": {}
576-
},
577-
{
578-
"names": [
579-
"socketcall"
580-
],
581-
"action": "SCMP_ACT_ALLOW",
582-
"args": [
583-
{
584-
"index": 0,
585-
"value": 1,
586-
"valueTwo": 0,
587-
"op": "SCMP_CMP_EQ"
588-
},
589-
{
590-
"index": 1,
591-
"value": 2,
592-
"valueTwo": 0,
593-
"op": "SCMP_CMP_EQ"
594-
}
595-
],
596-
"comment": "",
597-
"includes": {},
598-
"excludes": {}
599-
},
600-
{
601-
"names": [
602-
"socketcall"
603-
],
604-
"action": "SCMP_ACT_ALLOW",
605-
"args": [
606-
{
607-
"index": 0,
608-
"value": 1,
609-
"valueTwo": 0,
610-
"op": "SCMP_CMP_EQ"
611-
},
612-
{
613-
"index": 1,
614-
"value": 10,
615-
"valueTwo": 0,
616-
"op": "SCMP_CMP_EQ"
617-
}
618-
],
619-
"comment": "",
620-
"includes": {},
621-
"excludes": {}
622-
},
623-
{
624-
"names": [
625-
"socketcall"
626-
],
627-
"action": "SCMP_ACT_ALLOW",
628-
"args": [
629-
{
630-
"index": 0,
631-
"value": 1,
632-
"valueTwo": 0,
633-
"op": "SCMP_CMP_EQ"
634-
},
635-
{
636-
"index": 1,
637-
"value": 16,
638-
"valueTwo": 0,
639-
"op": "SCMP_CMP_EQ"
640-
}
641-
],
642-
"comment": "",
643-
"includes": {},
644-
"excludes": {}
645-
},
646-
{
647-
"names": [
648-
"socketcall"
649-
],
650-
"action": "SCMP_ACT_ALLOW",
651-
"args": [
652-
{
653-
"index": 0,
654-
"value": 1,
655-
"valueTwo": 0,
656-
"op": "SCMP_CMP_EQ"
657-
},
658-
{
659-
"index": 1,
660-
"value": 17,
661-
"valueTwo": 0,
662-
"op": "SCMP_CMP_EQ"
663-
}
664-
],
665-
"comment": "",
666-
"includes": {},
667-
"excludes": {}
668-
},
669454
{
670455
"names": [
671456
"sync_file_range2"

0 commit comments

Comments
 (0)