Skip to content

[20.10 backport] seccomp updates #43991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 18, 2022
Merged

[20.10 backport] seccomp updates #43991

merged 2 commits into from
Aug 18, 2022
+16 −0

Conversation

thaJeztah
Copy link
Member

Xyene and others added 2 commits August 18, 2022 18:55
@Xyene @thaJeztah
seccomp: add support for Landlock syscalls in default policy

Verified

This commit was signed with the committer’s verified signature.
thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C
Verified
Learn about vigilant mode
57db169 
This commit allows the Landlock[0] system calls in the default seccomp
policy.

Landlock was introduced in kernel 5.13, to fill the gap that inspecting
filepaths passed as arguments to filesystem system calls is not really
possible with pure `seccomp` (unless involving `ptrace`).

Allowing Landlock by default fits in with allowing `seccomp` for
containerized applications to voluntarily restrict their access rights
to files within the container.

[0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html

Signed-off-by: Tudor Brindus <me@tbrindus.ca>
(cherry picked from commit af819bf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@rumpl @thaJeztah
Allow different syscalls from kernels 5.12 -> 5.16

Verified

This commit was signed with the committer’s verified signature.
thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C
Verified
Learn about vigilant mode
d127287 
Kernel 5.12:

    mount_setattr: needs CAP_SYS_ADMIN

Kernel 5.14:

    quotactl_fd: needs CAP_SYS_ADMIN
    memfd_secret: always allowed

Kernel 5.15:

    process_mrelease: always allowed

Kernel 5.16:

    futex_waitv: always allowed

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 7de9f4f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 20.10.18 milestone Aug 18, 2022
@thaJeztah thaJeztah merged commit 62fd718 into moby:20.10 Aug 18, 2022
@thaJeztah thaJeztah deleted the 20.10_seccomp_updates branch August 18, 2022 19:28
@breakings breakings mentioned this pull request Sep 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda

Assignees
No one assigned
Labels
area/security/seccomp impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.18
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@thaJeztah @AkihiroSuda @Xyene @rumpl