Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.10 backport] seccomp: block socket calls to AF_VSOCK in default profile #44564

Merged

Conversation

thaJeztah
Copy link
Member

backport:

related:

This syncs the seccomp-profile with the latest changes in containerd's profile, applying the same changes as containerd/containerd@17a9324

Some background from the associated ticket:

We want to use vsock for guest-host communication on KubeVirt
(https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.

However since anyone can just connect from any pod to any VM with the
default seccomp settings, we cannot limit connection attempts to our
privileged node-agent.

Describe the solution you'd like

We want to deny the socket syscall for the AF_VSOCK family by default.

I see in 1 and 2 that AF_VSOCK was actually already blocked for some
time, but that got reverted since some architectures support the socketcall
syscall which can't be restricted properly. However we are mostly interested
in arm64 and amd64 where limiting socket would probably be enough.

Additional context

I know that in theory we could use our own seccomp profiles, but we would want
to provide security for as many users as possible which use KubeVirt, and there
it would be very helpful if this protection could be added by being part of the
DefaultRuntime profile to easily ensure that it is active for all pods 3.

Impact on existing workloads: It is unlikely that this will disturb any existing
workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
However if someone would still use it: Privileged pods would still be able to
use socket for AF_VSOCK, custom seccomp policies could be applied too.
Further it was already blocked for quite some time and the blockade got lifted
due to reasons not related to AF_VSOCK.

The PR in KubeVirt which adds VSOCK support for additional context: 4

- Description for the changelog

- seccomp: AF_VSOCK is not blocked by default in the default profile

- A picture of a cute animal (not mandatory but encouraged)

This syncs the seccomp-profile with the latest changes in containerd's
profile, applying the same changes as containerd/containerd@17a9324

Some background from the associated ticket:

> We want to use vsock for guest-host communication on KubeVirt
> (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.
>
> However since anyone can just connect from any pod to any VM with the
> default seccomp settings, we cannot limit connection attempts to our
> privileged node-agent.
>
> ### Describe the solution you'd like
> We want to deny the `socket` syscall for the `AF_VSOCK` family by default.
>
> I see in [1] and [2] that AF_VSOCK was actually already blocked for some
> time, but that got reverted since some architectures support the `socketcall`
> syscall which can't be restricted properly. However we are mostly interested
> in `arm64` and `amd64` where limiting `socket` would probably be enough.
>
> ### Additional context
> I know that in theory we could use our own seccomp profiles, but we would want
> to provide security for as many users as possible which use KubeVirt, and there
> it would be very helpful if this protection could be added by being part of the
> DefaultRuntime profile to easily ensure that it is active for all pods [3].
>
> Impact on existing workloads: It is unlikely that this will disturb any existing
> workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
> However if someone would still use it: Privileged pods would still be able to
> use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too.
> Further it was already blocked for quite some time and the blockade got lifted
> due to reasons not related to AF_VSOCK.
>
> The PR in KubeVirt which adds VSOCK support for additional context: [4]
>
> [1]: moby#29076 (comment)
> [2]: moby@dcf2632
> [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
> [4]: kubevirt/kubevirt#8546

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 57b2290)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

/cc @gabriellavengeo

@thaJeztah
Copy link
Member Author

Let me bring this one in (also discussed with @justincormack, and he mentioned there's no known valid use-cases for AF_VSOCK, so should be fine to block by default).

@thaJeztah thaJeztah merged commit cfb3ebe into moby:20.10 Dec 5, 2022
@thaJeztah thaJeztah deleted the 20.10_backport_seccomp_block_af_vsock branch December 5, 2022 12:31
@gaby
Copy link

gaby commented Dec 17, 2022

@thaJeztah @AkihiroSuda @gabriellavengeo Who's idea was to backport this into a patch release?

I spent hours debugging systems trying to understand why out of nowhere AF_VSOCK stopped working inside containers.

paralin added a commit to skiffos/buildroot that referenced this pull request Jan 13, 2023
Bug fixes and enhancements

 - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
 - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
 - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
 - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).

https://github.com/moby/moby/releases/tag/v20.10.22

Signed-off-by: Christian Stewart <christian@paral.in>
paralin added a commit to skiffos/buildroot that referenced this pull request Jan 13, 2023
Bug fixes and enhancements

 - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
 - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
 - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
 - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).

https://github.com/moby/moby/releases/tag/v20.10.22

Signed-off-by: Christian Stewart <christian@paral.in>
arnout pushed a commit to buildroot/buildroot that referenced this pull request Jan 14, 2023
Bug fixes and enhancements

 - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
 - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
 - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
 - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).

https://github.com/moby/moby/releases/tag/v20.10.22

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout pushed a commit to buildroot/buildroot that referenced this pull request Jan 15, 2023
Bug fixes and enhancements

 - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
 - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
 - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
 - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).

https://github.com/moby/moby/releases/tag/v20.10.22

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de51efc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout pushed a commit to buildroot/buildroot that referenced this pull request Jan 15, 2023
Bug fixes and enhancements

 - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
 - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
 - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
 - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).

https://github.com/moby/moby/releases/tag/v20.10.22

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de51efc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants