docker-cli

Author	SHA1	Message	Date
Jess Frazelle	80207e0951	Merge pull request #18974 from jfrazelle/remove-seccomp-from-seccomp-profile remove seccomp from seccomp profile Upstream-commit: abc695d9d540610546e860ed5a9e432685b924b3 Component: engine	2015-12-29 13:15:14 -08:00
Arnaud Porterie	1149d92821	Merge pull request #18969 from justincormack/vm86 Block vm86 syscalls in default seccomp profile Upstream-commit: a81e438544500a121298c82f340db490efda8a86 Component: engine	2015-12-29 11:57:35 -08:00
Arnaud Porterie	44a3b715ef	Merge pull request #18972 from justincormack/bpf Block bpf syscall from default seccomp profile Upstream-commit: 2307f47fdd2b3079cb623a69b0fa0a0ef502c624 Component: engine	2015-12-29 11:57:07 -08:00
Arnaud Porterie	ed8f5303d0	Merge pull request #18971 from justincormack/ptrace Block additional ptrace related syscalls in default seccomp profile Upstream-commit: e01cab1cc5c7f92747a479b5480ca78f7fc37101 Component: engine	2015-12-29 11:56:51 -08:00
Jessica Frazelle	ba9125a4e7	remove seccomp from seccomp profile This can be allowed because it should only restrict more per the seccomp docs, and multiple apps use it today. Signed-off-by: Jessica Frazelle <acidburn@docker.com> Upstream-commit: b610fc226afdf663b0ad46ad982c27fdee61f671 Component: engine	2015-12-29 11:21:33 -08:00
Arnaud Porterie	9e1ed3e829	Merge pull request #18947 from jfrazelle/fix-seccomp-unsupported fix default profile where unsupported Upstream-commit: 94e076086820aa34e6fc4fadb18714cd8b9263df Component: engine	2015-12-29 10:21:07 -08:00
Arnaud Porterie	0adeca917f	Merge pull request #18953 from justincormack/robust_list Allow use of robust list syscalls in default seccomp policy Upstream-commit: afdc4747dc16d4302ffd4f5dcb0fc537108862b7 Component: engine	2015-12-29 10:19:41 -08:00
Arnaud Porterie	f88929edd0	Merge pull request #18956 from justincormack/umount Block original umount syscall in default seccomp filter Upstream-commit: a32b06b067f847ee2cefe104430499c425c8fc2c Component: engine	2015-12-29 10:19:04 -08:00
Justin Cormack	c726c9026e	Block additional ptrace related syscalls in default seccomp profile Block kcmp, procees_vm_readv, process_vm_writev. All these require CAP_PTRACE, and are only used for ptrace related actions, so are not useful as we block ptrace. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: a0a8ca0ae0bc9dc7faa0b8bacf4ca376c7257348 Component: engine	2015-12-29 18:17:28 +00:00
Arnaud Porterie	42db75c945	Merge pull request #18959 from justincormack/finit_module Deny finit_module in default seccomp profile Upstream-commit: ad8bce2ce4e27f7484fc65a3e6b9bf111793a263 Component: engine	2015-12-29 10:12:50 -08:00
Arnaud Porterie	00259400b7	Merge pull request #18961 from justincormack/clock_adjtime Block clock_adjtime in default seccomp config Upstream-commit: 8ac3d083a856729bc78adad3924e85d73d07173f Component: engine	2015-12-29 10:08:45 -08:00
Justin Cormack	cb797e315a	Block bpf syscall from default seccomp profile The bpf syscall can load code into the kernel which may persist beyond container lifecycle. Requires CAP_SYS_ADMIN already. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 33568405f34f363de49b1146119cc53bcb9e5f16 Component: engine	2015-12-29 17:28:30 +00:00
Justin Cormack	e76b5dd895	Block vm86 syscalls in default seccomp profile These provide an in kernel virtual machine for x86 real mode on x86 used by one very early DOS emulator. Not required for any normal use. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e Component: engine	2015-12-29 15:47:23 +00:00
Justin Cormack	d33f2d3ddd	Block stime in default seccomp profile The stime syscall is a legacy syscall on some architectures to set the clock, should be blocked as time is not namespaced. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 6300a08be905969b16197f6a82a3d0d99a3f99cd Component: engine	2015-12-29 15:28:05 +00:00
Justin Cormack	55ebb7bfa4	Block clock_adjtime in default seccomp config clock_adjtime is the new posix style version of adjtime allowing a specific clock to be specified. Time is not namespaced, so do not allow. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 0e5c43cddad304301ca8a82f652e15f75ee68cfe Component: engine	2015-12-29 12:48:16 +00:00
Justin Cormack	40aa142ae9	Deny finit_module in default seccomp profile This is a new version of init_module that takes a file descriptor rather than a file name. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 0d5306a0b69c912a981f3a4bd41b80beb1207851 Component: engine	2015-12-29 12:31:33 +00:00
Justin Cormack	e02645b0cd	Block original umount syscall in default seccomp filter The original umount syscall without flags argument needs to be blocked too. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 9be0d93cf74d1bb31c401f1154abc773af31cbd6 Component: engine	2015-12-29 11:57:16 +00:00
Justin Cormack	b5183e0bab	Allow use of robust list syscalls The set_robust_list syscall sets the list of futexes which are cleaned up on thread exit, and are needed to avoid mutexes being held forever on thread exit. See for example in Musl libc mutex handling: http://git.musl-libc.org/cgit/musl/tree/src/thread/pthread_mutex_trylock.c#n22 Signed-off-by: Justin Cormack <justin.cormack@unikernel.com> Upstream-commit: 7b133e7235593f8d46832045da339395e71e8148 Component: engine	2015-12-29 10:22:05 +00:00
Jessica Frazelle	bc484831ec	fix code comment Signed-off-by: Jessica Frazelle <acidburn@docker.com> Upstream-commit: b4c14a0bb846343c6d6d5dde6d9259c2c62a0b1e Component: engine	2015-12-28 22:36:54 -08:00
Jessica Frazelle	8002590c16	fix default profile where unsupported Signed-off-by: Jessica Frazelle <acidburn@docker.com> Upstream-commit: 94b45310f400310af908a71f63ffcdaa504266de Component: engine	2015-12-28 20:42:15 -08:00
Jessica Frazelle	b5ffb5a2c4	set default seccomp profile Signed-off-by: Jessica Frazelle <acidburn@docker.com> Upstream-commit: 947293a28084cb5ee2e10e4d128c6e2b9d9da89d Component: engine	2015-12-28 10:18:47 -08:00

21 Commits