github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add process_vm read and write calls to default seccomp profile

Browse Source 
Follow up to 94faa70df4. The commit referenced allowed `ptrace` calls in the default seccomp profile following the usual tracing security checks in for Kernels newer than 4.8. Kernels prior to this version are susceptible to [CVE-2019-2054](https://github.com/advisories/GHSA-qgfr-27qf-f323).  Moby's default had allowed for `ptrace` for kernels newer than 4.8 at the time the commit was created. The current [seccomp default](https://github.com/moby/moby/blob/master/profiles/seccomp/default_linux.go#L405-L417) has been updated to include `process_vm_read` and `process_vm_write`. Mirror that policy to complete the classic ptrace set of APIs.

Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
This commit is contained in:
Juan Hoyos 2022-11-18 02:04:19 -05:00 committed by Juan Sebastian Hoyos Ayala
parent 223f67ccdb
commit e224f77eb7
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
contrib/seccomp/seccomp_default.go
View File

@ -489,7 +489,11 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
kernelversion.KernelVersion{Kernel: 4, Major: 8}); err == nil { kernelversion.KernelVersion{Kernel: 4, Major: 8}); err == nil {
if ok { if ok {
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{"ptrace"}, Names: []string{
"process_vm_read",
"process_vm_write",
"ptrace",
},
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},
}) })