New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some uses of personality syscall to default seccomp filter #20672
Conversation
LGTM |
3096303
to
469427b
Compare
Reformatted. |
I think you'll also need to re-generate the JSON version; https://github.com/docker/docker/blob/master/profiles/seccomp/default.json @jfrazelle added some code for that, see #20106 |
Oh! Janky picked that up because Jess has added that check \o/
|
Yes, good catch. Something odd though, |
Curious if that makes janky happy. It is however completely useless as something has changed and (a) my computer generates non-matching json and (b) the default json profile is incorrect and doesn't work. Will make another issue for that. |
No, janky doesnt like that either. Can someone else run |
Filed #20678 as the |
ca0bc28
to
469427b
Compare
Got this as diff (ran inside a build container 😄) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index ddfc0f4..661abbe 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -841,7 +841,7 @@
"index": 0,
"value": 0,
"value_two": 0,
- "op": 0
+ "op": 1
}
]
},
@@ -853,7 +853,7 @@
"index": 0,
"value": 8,
"value_two": 0,
- "op": 0
+ "op": 1
}
]
},
@@ -865,7 +865,7 @@
"index": 0,
"value": 4294967295,
"value_two": 0,
- "op": 0
+ "op": 1
}
]
}, |
@thaJeztah different meaningless values, need to fix #20678 and rebase... |
336c312
to
8ffc56a
Compare
We generally want to filter the personality(2) syscall, as it allows disabling ASLR, and turning on some poorly supported emulations that have been the target of CVEs. However the use cases for reading the current value, setting the default PER_LINUX personality, and setting PER_LINUX32 for 32 bit emulation are fine. See issue moby#20634 Signed-off-by: Justin Cormack <justin.cormack@docker.com>
8ffc56a
to
39b799a
Compare
Ok added the (now working) updated json file in. |
LGTM |
Add some uses of personality syscall to default seccomp filter
@jfrazelle @justincormack should I add this to the 1.10.3 milestone for consideration? (If there will be a patch release) |
Yes, may as well be added if there is a release. |
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.
See issue #20634
Signed-off-by: Justin Cormack justin.cormack@docker.com