Skip to content

Commit

Permalink
Merge pull request moby#33108 from justincormack/revert-seccomp-sockets
Browse files Browse the repository at this point in the history 
Revert "Block obsolete socket families in the default seccomp profile"
  • Loading branch information
@thaJeztah
thaJeztah authored May 11, 2017
2 parents 69c35da + dcf2632 commit 33ebf32
Show file tree
Hide file tree
Showing 6 changed files with 6 additions and 391 deletions.
3 changes: 1 addition & 2 deletions contrib/syscall-test/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \
&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \
&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \
&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test \
&& gcc -g -Wall -static appletalk.c -o /usr/bin/appletalk-test
&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test

RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true
12 changes: 0 additions & 12 deletions contrib/syscall-test/appletalk.c
View file

This file was deleted.

12 changes: 0 additions & 12 deletions integration-cli/docker_cli_run_unix_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1015,18 +1015,6 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
})
}

// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile
func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
testRequires(c, SameHostDaemon, seccompEnabled)
ensureSyscallTest(c)

runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test")
_, _, err := runCommandWithOutput(runCmd)
if err != nil {
c.Fatal("expected opening appletalk socket family to fail")
}
}

// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
// with a the default seccomp profile exits with operation not permitted.
func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
Expand Down
2 changes: 1 addition & 1 deletion integration-cli/fixtures_linux_daemon_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func ensureSyscallTest(c *check.C) {
gcc, err := exec.LookPath("gcc")
c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))

tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw", "appletalk"}
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
for _, test := range tests {
out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
c.Assert(err, checker.IsNil, check.Commentf(string(out)))
Expand Down
219 changes: 2 additions & 217 deletions profiles/seccomp/default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,8 @@
"signalfd",
"signalfd4",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"splice",
"stat",
Expand Down Expand Up @@ -449,223 +451,6 @@
"includes": {},
"excludes": {}
},
{
"names": [
"socket"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socket"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socket"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 10,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socket"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 16,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socket"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 17,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_GT"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
},
{
"index": 1,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
},
{
"index": 1,
"value": 2,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
},
{
"index": 1,
"value": 10,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
},
{
"index": 1,
"value": 16,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"socketcall"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 1,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
},
{
"index": 1,
"value": 17,
"valueTwo": 0,
"op": "SCMP_CMP_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {}
},
{
"names": [
"sync_file_range2"
Expand Down
Loading

0 comments on commit 33ebf32

Please sign in to comment.