seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted)

clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
See moby/moby PR 42681 (thanks to berrange).

Without this commit, rawhide image does not work:
```console
$ sudo ctr run --rm --net-host --seccomp registry.fedoraproject.org/fedora:rawhide foo /usr/bin/curl google.com
curl: (6) getaddrinfo() thread failed to start
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2021-09-13 15:36:41 +09:00
parent 493220b719
commit 55923daa9f
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A

View File

@ -50,6 +50,7 @@ func arches() []specs.Arch {
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
nosys := uint(unix.ENOSYS)
syscalls := []specs.LinuxSyscall{
{
Names: []string{
@ -527,6 +528,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Names: []string{
"bpf",
"clone",
"clone3",
"fanotify_init",
"fsconfig",
"fsmount",
@ -658,6 +660,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
},
})
}
// clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset
// https://github.com/moby/moby/pull/42681
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{
"clone3",
},
Action: specs.ActErrno,
ErrnoRet: &nosys,
})
}
return s