github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG

Browse Source 
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Relates to docker/docker#37897 "docker exposes dmesg to containers by default"

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
2020-08-24 11:48:28 +02:00
parent c8523cc5bb
commit 267a0cf68e
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
contrib/seccomp/seccomp_default.go
View File

@@ -346,7 +346,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"sysinfo", "sysinfo",
"syslog",
"tee", "tee",
"tgkill", "tgkill",
"time", "time",
@@ -493,6 +492,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns",
"syslog",
"umount", "umount",
"umount2", "umount2",
"unshare", "unshare",
@@ -564,6 +564,12 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},
}) })
case "CAP_SYSLOG":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{"syslog"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{},
})
} }
} }