If possible, apply seccomp rules immediately before exec #789
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Without NoNewPrivileges seccomp is a privileged operation, so we need to | ||
| // do this before dropping capabilities; otherwise do it as late as possible | ||
| // just before execve so as few syscalls take place after it as possible. | ||
| if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges == false { |
See moby/moby#22252 Previously we would apply seccomp rules before applying capabilities, because it requires CAP_SYS_ADMIN. This however means that a seccomp profile needs to allow operations such as setcap() and setuid() which you might reasonably want to disallow. If prctl(PR_SET_NO_NEW_PRIVS) has been applied however setting a seccomp filter is an unprivileged operation. Therefore if this has been set, apply the seccomp filter as late as possible, after capabilities have been dropped and the uid set. Note a small number of syscalls will take place after the filter is applied, such as `futex`, `stat` and `execve`, so these still need to be allowed in addition to any the program itself needs. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
justincormack
force-pushed
the
unprivseccomp
branch
from
da99a38 to
e18de63
Compare
|
LGTM |
1 similar comment
|
LGTM |
justincormack
added a commit
to justincormack/docker
that referenced
this pull request
Jul 13, 2016
The change to runc in opencontainers/runc#789 was not documented previously. Also say what this affects and clean up layout of initial table as there was some miscolouration of the continuation lines. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
tiborvass
pushed a commit
to tiborvass/docker
that referenced
this pull request
Jul 26, 2016
The change to runc in opencontainers/runc#789 was not documented previously. Also say what this affects and clean up layout of initial table as there was some miscolouration of the continuation lines. Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit 3050d9a) Signed-off-by: Tibor Vass <tibor@docker.com>
rchicoli
pushed a commit
to rchicoli/docker
that referenced
this pull request
Nov 12, 2016
The change to runc in opencontainers/runc#789 was not documented previously. Also say what this affects and clean up layout of initial table as there was some miscolouration of the continuation lines. Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit 3050d9a) Signed-off-by: Tibor Vass <tibor@docker.com>
andrewhsu
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Jun 5, 2017
The change to runc in opencontainers/runc#789 was not documented previously. Also say what this affects and clean up layout of initial table as there was some miscolouration of the continuation lines. Signed-off-by: Justin Cormack <justin.cormack@docker.com> Upstream-commit: 8bc84934fbb2974f9bf79afc503b5e07eb2b07d2 Component: cli
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
config: Shift oomScoreAdj from linux.resources to process
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
This should have happened in 4b49c64 (config: Shift oomScoreAdj from linux.resources to process, 2017-05-09, opencontainers#789) as part of moving the property from a Linux-specific type to a cross-platform type. Signed-off-by: W. Trevor King <wking@tremily.us>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See moby/moby#22252
Previously we would apply seccomp rules before applying
capabilities, because it requires CAP_SYS_ADMIN. This
however means that a seccomp profile needs to allow
operations such as setcap() and setuid() which you
might reasonably want to disallow.
If prctl(PR_SET_NO_NEW_PRIVS) has been applied however
setting a seccomp filter is an unprivileged operation.
Therefore if this has been set, apply the seccomp
filter as late as possible, after capabilities have
been dropped and the uid set.
Note a small number of syscalls will take place
after the filter is applied, such as
futex,statandexecve, so these still need to be allowedin addition to any the program itself needs.
Signed-off-by: Justin Cormack justin.cormack@docker.com