seccomp: allow ptrace(2) for 4.8+ kernels #38137
Conversation
tonistiigi
force-pushed
the
seccomp-ptrace
branch
from
5a1f5e0 to
fb7b390
Compare
Codecov Report
@@ Coverage Diff @@
## master #38137 +/- ##
==========================================
- Coverage 36.55% 36.12% -0.44%
==========================================
Files 610 610
Lines 45275 45242 -33
==========================================
- Hits 16551 16342 -209
- Misses 26394 26656 +262
+ Partials 2330 2244 -86 |
4.8+ kernels have fixed the ptrace security issues so we can allow ptrace(2) on the default seccomp profile if we do the kernel version check. torvalds/linux@93e35ef Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
seccomp-ptrace
branch
from
fb7b390 to
1124543
Compare
thaJeztah
added
status/2-code-review
impact/changelog
area/security/seccomp
and removed
status/0-triage
labels
| "args": null, | ||
| "comment": "", | ||
| "includes": { | ||
| "minKernel": "4.8.0" |
There was a problem hiding this comment.
I know generally we tried to avoid kernel version checks; Will this be an issue if distros backport this fix? (i.e., would there be another approach so that the default could manually be overridden at compile time?)
There was a problem hiding this comment.
If a distro backports they will just not get the ptrace support even if it may be secure for their kernel as well. User can still fix it in that case by providing a custom profile or upgrading the kernel. 4.8 is documented the switch point on the man page. Even if I would dynamically detect the behavior of the current system there is no way to mark that condition in the profile.
There was a problem hiding this comment.
Yeah, not sure if there's a cleaner solution. Was just thinking if (e.g.) Red Hat decides to backport, and Docker wants to ship Docker EE packages for RHEL with a correct profile
There was a problem hiding this comment.
You can ship a different default profile anyway, so I don't think this is an issue.
There was a problem hiding this comment.
In theory, we might want to specify a range or list of ranges of kernel versions, e.g. ["4.4.0", null], [null, "4.4.0"], [["3.16.0", "4.4.0"], ...]. It would be great to consider adding ranges into the current Seccomp profile format, so that it will be easier to implement ranges in the future in a backward-compatible way.
| "ptrace" | ||
| ], | ||
| "action": "SCMP_ACT_ALLOW", | ||
| "args": null, |
There was a problem hiding this comment.
Consider using empty array [] instead of null for consistency.
|
I can change it to any syntax that maintainers like to have. The current one came from discussing different variants (including the range one) with @justincormack |
|
I'm fine with this. |
|
Ranges format makes sense if some severe bug appeared on some kernel version A and fixed later on some version B. If adding ranges format in the future is not hard and is backward-compatible, then I have nothing against the current format : ) |
|
ping @justincormack @tiborvass |
| @@ -95,6 +96,21 @@ func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, e | |||
|
|
|||
| newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) | |||
|
|
|||
| var currentKernelVersion *kernel.VersionInfo | |||
| kernelGreaterEqualThan := func(v string) (bool, error) { | |||
There was a problem hiding this comment.
not sure I like defining local closures like this, can you just make it a helper function external to this? (yes, Go should allow local functions...)
| @@ -110,6 +126,13 @@ Loop: | |||
| } | |||
| } | |||
| } | |||
| if call.Excludes.MinKernel != "" { | |||
| if ok, err := kernelGreaterEqualThan(call.Excludes.MinKernel); err != nil { | |||
| return nil, err | |||
There was a problem hiding this comment.
in the error case should we not just include the rule anyway? ie fail closed not error.
There was a problem hiding this comment.
This should fail only in the case where profile had a version that couldn't be parsed. I think that case is similar to the other validation, eg. the call.Names check.
| Names: []string{"ptrace"}, | ||
| Action: types.ActAllow, | ||
| Includes: types.Filter{ | ||
| MinKernel: "4.8.0", |
There was a problem hiding this comment.
Technically the kernel version is 4.8, there is not a 4.8.0 release, ir goes 4.8, 4.8.1...
|
This should have a test. |
|
Some comments but LGTM generally. Note that some uses for |
|
@justincormack For the test, what kind are you expecting. A unit test of some component? Integration seems tricky as this behavior is very much host dependent. |
|
@justincormack And just to confirm, no ranges like #38137 (comment) , right? I'd be fine with adding it. It could be useful in the case where a syscall becomes broken in a future version, and a seccomp profile could block that without upgrading the daemon. |
|
ping @justincormack |
|
@tonistiigi Does the current default Docker Seccomp profile allows |
|
@abudnik This PR is not in any release version of Docker yet. Next version 19.03 should allow it. |
|
@tonistiigi Previously, a default profile allowed |
|
@abudnik No it shouldn't. |
|
Wondering this should be disabled when |
|
I guess edit: and actually I'm not sure if this exposes anything very bad. You still don't have |
4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.
torvalds/linux@93e35ef
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com