From 0a1c28a95866f7cd79a114fcb24e67964ef3b724 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bneergaard@mirantis.com>
Date: Thu, 29 Dec 2022 09:00:08 -0700
Subject: [PATCH] Revert "seccomp: block socket calls to AF_VSOCK in default
 profile"

This reverts commit 57b229012a5b5ff97889ae44c9b6fa77ba9b3a5c.

This change, while favorable from a security standpoint, caused a
regression for users of the 20.10 branch of Moby. As such, we are
reverting it to ensure stability and compatibility for the affected
users.

However, users of AF_VSOCK in containers should recognize that this
(special) address family is not currently namespaced in any version of
the Linux kernel, and may result in unexpected behavior, like VMs
communicating directly with host hypervisors.

Future branches, including the 23.0 branch, will continue to filter
AF_VSOCK. Users who need to allow containers to communicate over the
unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a
custom seccomp profile.

It is our hope that future mechanisms will make this more
ergonomic/maintainable for end users, and that future kernels will
support namespacing of AF_VSOCK.

Closes moby/moby#44670.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
---
 profiles/seccomp/default.json     | 19 ++-----------------
 profiles/seccomp/default_linux.go | 12 +-----------
 2 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index fbee6eac0e959..3399c3844df2d 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -348,6 +348,7 @@
 				"signalfd4",
 				"sigprocmask",
 				"sigreturn",
+				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -416,22 +417,6 @@
 			},
 			"excludes": {}
 		},
-		{
-			"names": [
-				"socket"
-			],
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 40,
-					"op": "SCMP_CMP_NE"
-				}
-			],
-			"comment": "",
-			"includes": {},
-			"excludes": {}
-		},
 		{
 			"names": [
 				"personality"
@@ -862,4 +847,4 @@
 			"excludes": {}
 		}
 	]
-}
\ No newline at end of file
+}
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index 3c06d520135d9..a7e2c8049ab15 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -343,6 +343,7 @@ func DefaultProfile() *Seccomp {
 				"signalfd4",
 				"sigprocmask",
 				"sigreturn",
+				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -403,17 +404,6 @@ func DefaultProfile() *Seccomp {
 				MinKernel: &KernelVersion{4, 8},
 			},
 		},
-		{
-			Names:  []string{"socket"},
-			Action: specs.ActAllow,
-			Args: []*specs.LinuxSeccompArg{
-				{
-					Index: 0,
-					Value: unix.AF_VSOCK,
-					Op:    specs.OpNotEqual,
-				},
-			},
-		},
 		{
 			Names:  []string{"personality"},
 			Action: specs.ActAllow,