Merge pull request #64 from thaJeztah/18.09_backport_syslog

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG Upstream-commit: 6f1145e740f35a0b805a11d5d29daa89d2a27ed0 Component: engine
2018-10-22 08:24:03 -07:00
parent 96aa81d195 cad393d146
commit cd3e286dd2
2 changed files with 26 additions and 2 deletions
--- a/components/engine/profiles/seccomp/default.json
+++ b/components/engine/profiles/seccomp/default.json
@ -329,7 +329,6 @@
 				"sync_file_range",
 				"syncfs",
 				"sysinfo",
-				"syslog",
 				"tee",
 				"tgkill",
 				"time",
@ -561,6 +560,7 @@
 				"setdomainname",
 				"sethostname",
 				"setns",
+				"syslog",
 				"umount",
 				"umount2",
 				"unshare"
@ -762,6 +762,20 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"syslog"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYSLOG"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }
--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
@ -322,7 +322,6 @@ func DefaultProfile() *types.Seccomp {
 				"sync_file_range",
 				"syncfs",
 				"sysinfo",
-				"syslog",
 				"tee",
 				"tgkill",
 				"time",
@ -492,6 +491,7 @@ func DefaultProfile() *types.Seccomp {
 				"setdomainname",
 				"sethostname",
 				"setns",
+				"syslog",
 				"umount",
 				"umount2",
 				"unshare",
@ -642,6 +642,16 @@ func DefaultProfile() *types.Seccomp {
 				Caps: []string{"CAP_SYS_NICE"},
 			},
 		},
+		{
+			Names: []string{
+				"syslog",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYSLOG"},
+			},
+		},
 	}

 	return &types.Seccomp{