diff options
| -rwxr-xr-x | profiles/seccomp/default.json | 75 | ||||
| -rw-r--r-- | profiles/seccomp/seccomp_default.go | 85 |
2 files changed, 71 insertions, 89 deletions
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 212ff49942..51ec3d43bb 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -57,6 +57,16 @@ "args": [] }, { + "name": "chown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { "name": "clock_getres", "action": "SCMP_ACT_ALLOW", "args": [] @@ -212,6 +222,21 @@ "args": [] }, { + "name": "fchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchownat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { "name": "fcntl", "action": "SCMP_ACT_ALLOW", "args": [] @@ -557,6 +582,16 @@ "args": [] }, { + "name": "lchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { "name": "lgetxattr", "action": "SCMP_ACT_ALLOW", "args": [] @@ -1523,41 +1558,6 @@ "args": [] }, { - "name": "chown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchownat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { "name": "chroot", "action": "SCMP_ACT_ALLOW", "args": [] @@ -1573,11 +1573,6 @@ "op": "SCMP_CMP_MASKED_EQ" } ] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] } ] }
\ No newline at end of file diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index a088412351..a6e2c653be 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -89,6 +89,17 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, { + Name: "chown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "chown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + + { Name: "clock_getres", Action: types.ActAllow, Args: []*types.Arg{}, @@ -244,6 +255,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, { + Name: "fchown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "fchown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "fchownat", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { Name: "fcntl", Action: types.ActAllow, Args: []*types.Arg{}, @@ -589,6 +615,16 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, { + Name: "lchown", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "lchown32", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { Name: "lgetxattr", Action: types.ActAllow, Args: []*types.Arg{}, @@ -1591,44 +1627,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { var cap string for _, cap = range rs.Process.Capabilities { switch cap { - case "CAP_CHOWN": - syscalls = append(syscalls, []*types.Syscall{ - { - Name: "chown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "chown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "fchownat", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "lchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "lchown32", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - }...) case "CAP_DAC_READ_SEARCH": syscalls = append(syscalls, []*types.Syscall{ { @@ -1853,17 +1851,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { }...) } - // We need some additional syscalls in this case see #22252 - if !rs.Process.NoNewPrivileges { - syscalls = append(syscalls, []*types.Syscall{ - { - Name: "fchown", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - }...) - } - return &types.Seccomp{ DefaultAction: types.ActErrno, Architectures: arches(), |