p4u1/docker-cli
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23,223 Commits 2 Branches 295 Tags
ee44cd51fbfce3e4dceae5cd4afa6fc697de14db
Commit Graph

6 Commits

Author SHA1 Message Date
Justin Cormack
d8866a7bcc Add new syscalls in libseccomp 2.3.0 to seccomp default profile 
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.

The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration

The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 96896f2d0bc16269778dd4f60a4920b49953ffed
Component: engine
 2016-03-16 21:17:32 +00:00
Justin Cormack
8df9af807b Allow restart_syscall in default seccomp profile 
Fixes #20818

This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 5abd881883883a132f96f8adb1b07b5545af452b
Component: engine
 2016-03-11 16:44:11 +00:00
Justin Cormack
288ebd11a3 Add ipc syscall to default seccomp profile 
On 32 bit x86 this is a multiplexing syscall for the system V
ipc syscalls such as shmget, and so needs to be allowed for
shared memory access for 32 bit binaries.

Fixes #20733

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 31410a6d79fc4ea6fa496636015bf9f53c1c8b14
Component: engine
 2016-03-05 22:12:23 +00:00
Justin Cormack
3edfa94729 Add some uses of personality syscall to default seccomp filter 
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.

See issue #20634

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 39b799ac53e2ba397edc3063432d01478416dbc8
Component: engine
 2016-02-26 18:43:08 +01:00
Jessica Frazelle
bea41e64ba generate seccomp profile convert type 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: ad600239bca1ac89d9684a98d6f7f260959e81d2
Component: engine
 2016-02-19 13:32:54 -08:00
Jessica Frazelle
a45e7dc118 add default seccomp profile as json 
profile is created by go generate

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: d57816de0293e18ecfa68ac6e8c288a888912e33
Component: engine
 2016-02-08 08:19:21 -08:00