From 508743563d45303f28dfb6f196634fecea560e4a Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 23 Sep 2015 14:20:42 -0400 Subject: [PATCH 1/3] Add Architecture field to Seccomp configuration in Linux runtime By default, Seccomp filters will only permit syscalls to be made using the native architecture of the kernel. This is fine for most use cases, but breaks others (such as running 32-bit code in a container on a host with a 64-bit kernel). This patch adds a field to specify additional architectures which may make syscalls. Signed-off-by: Matthew Heon --- runtime-config-linux.md | 5 ++++- runtime_config_linux.go | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/runtime-config-linux.md b/runtime-config-linux.md index c4bd31d50..323b08d2b 100644 --- a/runtime-config-linux.md +++ b/runtime-config-linux.md @@ -319,11 +319,14 @@ For more information about Apparmor, see [Apparmor documentation](https://wiki.u Seccomp provides application sandboxing mechanism in the Linux kernel. Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls. For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt) -The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](/~https://github.com/seccomp/libseccomp) and are translated to corresponding values. +The actions, architectures, and operators are strings that match the definitions in seccomp.h from [libseccomp](/~https://github.com/seccomp/libseccomp) and are translated to corresponding values. ```json "seccomp": { "defaultAction": "SCMP_ACT_ALLOW", + "architectures": [ + "SCMP_ARCH_X86" + ], "syscalls": [ { "name": "getcwd", diff --git a/runtime_config_linux.go b/runtime_config_linux.go index 42e3fa654..8ae4479bc 100644 --- a/runtime_config_linux.go +++ b/runtime_config_linux.go @@ -235,9 +235,14 @@ type Device struct { // Seccomp represents syscall restrictions type Seccomp struct { DefaultAction Action `json:"defaultAction"` + Architectures []Arch `json:"architectures"` Syscalls []*Syscall `json:"syscalls"` } +// Additional architectures permitted to be used for system calls +// By default only the native architecture of the kernel is permitted +type Arch string + // Action taken upon Seccomp rule match type Action string From 5fd7dce52718bdc7dee5af6c9529e05eea1a66ed Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 23 Sep 2015 15:04:54 -0400 Subject: [PATCH 2/3] Add Seccomp constants to Linux runtime config Signed-off-by: Matthew Heon --- runtime_config_linux.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/runtime_config_linux.go b/runtime_config_linux.go index 8ae4479bc..b24b4b955 100644 --- a/runtime_config_linux.go +++ b/runtime_config_linux.go @@ -243,12 +243,44 @@ type Seccomp struct { // By default only the native architecture of the kernel is permitted type Arch string +const ( + ArchX86 Arch = "SCMP_ARCH_X86" + ArchX86_64 Arch = "SCMP_ARCH_X86_64" + ArchX32 Arch = "SCMP_ARCH_X32" + ArchARM Arch = "SCMP_ARCH_ARM" + ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" + ArchMIPS Arch = "SCMP_ARCH_MIPS" + ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" + ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" + ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" + ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" + ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" +) + // Action taken upon Seccomp rule match type Action string +const ( + ActKill Action = "SCMP_ACT_KILL" + ActTrap Action = "SCMP_ACT_TRAP" + ActErrno Action = "SCMP_ACT_ERRNO" + ActTrace Action = "SCMP_ACT_TRACE" + ActAllow Action = "SCMP_ACT_ALLOW" +) + // Operator used to match syscall arguments in Seccomp type Operator string +const ( + OpNotEqual Operator = "SCMP_CMP_NE" + OpLessThan Operator = "SCMP_CMP_LT" + OpLessEqual Operator = "SCMP_CMP_LE" + OpEqualTo Operator = "SCMP_CMP_EQ" + OpGreaterEqual Operator = "SCMP_CMP_GE" + OpGreaterThan Operator = "SCMP_CMP_GT" + OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" +) + // Arg used for matching specific syscall arguments in Seccomp type Arg struct { Index uint `json:"index"` From 215d0d98c70a3c90f7f729d1c34d671b8768f18e Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 23 Sep 2015 15:16:49 -0400 Subject: [PATCH 3/3] Add Seccomp constants to description of Linux runtime spec Signed-off-by: Matthew Heon --- runtime-config-linux.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/runtime-config-linux.md b/runtime-config-linux.md index 323b08d2b..c32213527 100644 --- a/runtime-config-linux.md +++ b/runtime-config-linux.md @@ -320,6 +320,36 @@ Seccomp provides application sandboxing mechanism in the Linux kernel. Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls. For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt) The actions, architectures, and operators are strings that match the definitions in seccomp.h from [libseccomp](/~https://github.com/seccomp/libseccomp) and are translated to corresponding values. +A valid list of constants as of Libseccomp v2.2.3 is contained below. + +Architecture Constants +* `SCMP_ARCH_X86` +* `SCMP_ARCH_X86_64` +* `SCMP_ARCH_X32` +* `SCMP_ARCH_ARM` +* `SCMP_ARCH_AARCH64` +* `SCMP_ARCH_MIPS` +* `SCMP_ARCH_MIPS64` +* `SCMP_ARCH_MIPS64N32` +* `SCMP_ARCH_MIPSEL` +* `SCMP_ARCH_MIPSEL64` +* `SCMP_ARCH_MIPSEL64N32` + +Action Constants: +* `SCMP_ACT_KILL` +* `SCMP_ACT_TRAP` +* `SCMP_ACT_ERRNO` +* `SCMP_ACT_TRACE` +* `SCMP_ACT_ALLOW` + +Operator Constants: +* `SCMP_CMP_NE` +* `SCMP_CMP_LT` +* `SCMP_CMP_LE` +* `SCMP_CMP_EQ` +* `SCMP_CMP_GE` +* `SCMP_CMP_GT` +* `SCMP_CMP_MASKED_EQ` ```json "seccomp": {