New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.10 backport] seccomp: block socket calls to AF_VSOCK in default profile #44564
Merged
thaJeztah
merged 1 commit into
moby:20.10
from
thaJeztah:20.10_backport_seccomp_block_af_vsock
Dec 5, 2022
Merged
[20.10 backport] seccomp: block socket calls to AF_VSOCK in default profile #44564
thaJeztah
merged 1 commit into
moby:20.10
from
thaJeztah:20.10_backport_seccomp_block_af_vsock
Dec 5, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This syncs the seccomp-profile with the latest changes in containerd's profile, applying the same changes as containerd/containerd@17a9324 Some background from the associated ticket: > We want to use vsock for guest-host communication on KubeVirt > (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods. > > However since anyone can just connect from any pod to any VM with the > default seccomp settings, we cannot limit connection attempts to our > privileged node-agent. > > ### Describe the solution you'd like > We want to deny the `socket` syscall for the `AF_VSOCK` family by default. > > I see in [1] and [2] that AF_VSOCK was actually already blocked for some > time, but that got reverted since some architectures support the `socketcall` > syscall which can't be restricted properly. However we are mostly interested > in `arm64` and `amd64` where limiting `socket` would probably be enough. > > ### Additional context > I know that in theory we could use our own seccomp profiles, but we would want > to provide security for as many users as possible which use KubeVirt, and there > it would be very helpful if this protection could be added by being part of the > DefaultRuntime profile to easily ensure that it is active for all pods [3]. > > Impact on existing workloads: It is unlikely that this will disturb any existing > workload, becuase VSOCK is almost exclusively used for host-guest commmunication. > However if someone would still use it: Privileged pods would still be able to > use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too. > Further it was already blocked for quite some time and the blockade got lifted > due to reasons not related to AF_VSOCK. > > The PR in KubeVirt which adds VSOCK support for additional context: [4] > > [1]: moby#29076 (comment) > [2]: moby@dcf2632 > [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads > [4]: kubevirt/kubevirt#8546 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 57b2290) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
/cc @gabriellavengeo |
AkihiroSuda
approved these changes
Dec 2, 2022
gabriellavengeo
approved these changes
Dec 5, 2022
Let me bring this one in (also discussed with @justincormack, and he mentioned there's no known valid use-cases for |
@thaJeztah @AkihiroSuda @gabriellavengeo Who's idea was to backport this into a patch release? I spent hours debugging systems trying to understand why out of nowhere AF_VSOCK stopped working inside containers. |
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jan 13, 2023
Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569) - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476). - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564). https://github.com/moby/moby/releases/tag/v20.10.22 Signed-off-by: Christian Stewart <christian@paral.in>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jan 13, 2023
Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569) - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476). - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564). https://github.com/moby/moby/releases/tag/v20.10.22 Signed-off-by: Christian Stewart <christian@paral.in>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jan 14, 2023
Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569) - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476). - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564). https://github.com/moby/moby/releases/tag/v20.10.22 Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jan 15, 2023
Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569) - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476). - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564). https://github.com/moby/moby/releases/tag/v20.10.22 Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit de51efc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jan 15, 2023
Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569) - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476). - Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564). https://github.com/moby/moby/releases/tag/v20.10.22 Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit de51efc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backport:
related:
This syncs the seccomp-profile with the latest changes in containerd's profile, applying the same changes as containerd/containerd@17a9324
Some background from the associated ticket:
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)