From 7fdb10038b60c82c3dc45c46d81064e6b668915c Mon Sep 17 00:00:00 2001 From: Kenta Tada Date: Mon, 20 May 2019 19:02:28 +0900 Subject: [PATCH] seccomp: add CloneNewCgroup to check sysCloneFlagsIndex All clone flags should be denied as default profile. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada --- generate/seccomp/seccomp_default.go | 2 +- generate/seccomp/seccomp_default_linux.go | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go index 12bc44d6..caf9b5c2 100644 --- a/generate/seccomp/seccomp_default.go +++ b/generate/seccomp/seccomp_default.go @@ -513,7 +513,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { Args: []rspec.LinuxSeccompArg{ { Index: sysCloneFlagsIndex, - Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet, + Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet | CloneNewCgroup, ValueTwo: 0, Op: rspec.OpMaskedEqual, }, diff --git a/generate/seccomp/seccomp_default_linux.go b/generate/seccomp/seccomp_default_linux.go index 93472fba..5ca9a6da 100644 --- a/generate/seccomp/seccomp_default_linux.go +++ b/generate/seccomp/seccomp_default_linux.go @@ -3,14 +3,15 @@ package seccomp -import "syscall" +import "golang.org/x/sys/unix" // System values passed through on linux const ( - CloneNewIPC = syscall.CLONE_NEWIPC - CloneNewNet = syscall.CLONE_NEWNET - CloneNewNS = syscall.CLONE_NEWNS - CloneNewPID = syscall.CLONE_NEWPID - CloneNewUser = syscall.CLONE_NEWUSER - CloneNewUTS = syscall.CLONE_NEWUTS + CloneNewIPC = unix.CLONE_NEWIPC + CloneNewNet = unix.CLONE_NEWNET + CloneNewNS = unix.CLONE_NEWNS + CloneNewPID = unix.CLONE_NEWPID + CloneNewUser = unix.CLONE_NEWUSER + CloneNewUTS = unix.CLONE_NEWUTS + CloneNewCgroup = unix.CLONE_NEWCGROUP )