Merge branch 'seccomp-bugfix' into 'huawei-1.11.2'

Seccomp bugfix See merge request docker/docker!591
liusdu · Jun 30, 2017 · bcfebf4 · bcfebf4
2 parents dd308d6 + 7e97f6e
commit bcfebf4
Show file tree

Hide file tree

Showing 8 changed files with 467 additions and 240 deletions.
diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go
@@ -36,9 +36,9 @@ func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
 		}
 	} else {
 		if c.HostConfig.SystemContainer {
-			profile, err = seccomp.GetDefaultProfileForSystemContainer()
+			profile, err = seccomp.GetDefaultProfileForSystemContainer(rs)
 		} else {
-			profile, err = seccomp.GetDefaultProfile()
+			profile, err = seccomp.GetDefaultProfile(rs)
 		}
 		if err != nil {
 			return err

diff --git a/docs/reference/run.md b/docs/reference/run.md
@@ -1098,14 +1098,6 @@ one can use this flag:
     --privileged=false: Give extended privileges to this container
     --device=[]: Allows you to run devices inside the container without the --privileged flag.
 
-> **Note:**
-> With Docker 1.10 and greater, the default seccomp profile will also block
-> syscalls, regardless of `--cap-add` passed to the container. We recommend in
-> these cases to create your own custom seccomp profile based off our
-> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json).
-> Or if you don't want to run with the default seccomp profile, you can pass
-> `--security-opt=seccomp=unconfined` on run.
-
 By default, Docker containers are "unprivileged" and cannot, for
 example, run a Docker daemon inside a Docker container. This is because
 by default a container is not allowed to access any devices, but a
@@ -1223,6 +1215,11 @@ To mount a FUSE based filesystem, you need to combine both `--cap-add` and
     -rw-rw-r-- 1 1000 1000    461 Dec  4 06:08 .gitignore
     ....
 
+The default seccomp profile will adjust to the selected capabilities, in order to allow
+use of facilities allowed by the capabilities, so you should not have to adjust this,
+since Docker 1.12. In Docker 1.10 and 1.11 this did not happen and it may be necessary
+to use a custom seccomp profile or use `--security-opt seccomp=unconfined` when adding
+capabilities.
 
 ## Logging drivers (--log-driver)
 

diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go
@@ -960,24 +960,80 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
 	testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
 
 	var group sync.WaitGroup
-	group.Add(4)
+	group.Add(11)
 	errChan := make(chan error, 4)
 	go func() {
-		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "acct-test")
+		out, _, err := dockerCmdWithError("run", "syscall-test", "acct-test")
 		if err == nil || !strings.Contains(out, "Operation not permitted") {
 			errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
 		}
 		group.Done()
 	}()
 
 	go func() {
-		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "ns-test", "echo", "hello")
+		out, _, err := dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "acct-test")
 		if err == nil || !strings.Contains(out, "Operation not permitted") {
 			errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
 		}
 		group.Done()
 	}()
 
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
+		if err == nil || !strings.Contains(out, "No such file or directory") {
+			errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "acct-test")
+		if err == nil || !strings.Contains(out, "No such file or directory") {
+			errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-drop", "ALL", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
+		if err == nil || !strings.Contains(out, "No such file or directory") {
+			errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "syscall-test", "ns-test", "echo", "hello0")
+		if err == nil || !strings.Contains(out, "Operation not permitted") {
+			errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello1")
+		if err != nil || !strings.Contains(out, "hello1") {
+			errChan <- fmt.Errorf("expected hello1, got: %s, %v", out, err)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-drop", "all", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello2")
+		if err != nil || !strings.Contains(out, "hello2") {
+			errChan <- fmt.Errorf("expected hello2, got: %s, %v", out, err)
+		}
+		group.Done()
+	}()
+
+	go func() {
+		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "ns-test", "echo", "hello3")
+		if err != nil || !strings.Contains(out, "hello3") {
+			errChan <- fmt.Errorf("expected hello3, got: %s, %v", out, err)
+		}
+		group.Done()
+	}()
+
 	go func() {
 		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "acct-test")
 		if err == nil || !strings.Contains(out, "No such file or directory") {
@@ -987,9 +1043,9 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
 	}()
 
 	go func() {
-		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "ns-test", "echo", "hello")
-		if err != nil || !strings.Contains(out, "hello") {
-			errChan <- fmt.Errorf("expected hello, got: %s, %v", out, err)
+		out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "ns-test", "echo", "hello4")
+		if err != nil || !strings.Contains(out, "hello4") {
+			errChan <- fmt.Errorf("expected hello4, got: %s, %v", out, err)
 		}
 		group.Done()
 	}()

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -26,11 +26,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "arch_prctl",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "bind",
 			"action": "SCMP_ACT_ALLOW",
@@ -61,21 +56,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "chown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "chown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "chroot",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "clock_getres",
 			"action": "SCMP_ACT_ALLOW",
@@ -91,18 +71,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "clone",
-			"action": "SCMP_ACT_ALLOW",
-			"args": [
-				{
-					"index": 0,
-					"value": 2080505856,
-					"valueTwo": 0,
-					"op": "SCMP_CMP_MASKED_EQ"
-				}
-			]
-		},
 		{
 			"name": "close",
 			"action": "SCMP_ACT_ALLOW",
@@ -223,11 +191,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "fanotify_init",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "fanotify_mark",
 			"action": "SCMP_ACT_ALLOW",
@@ -248,21 +211,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "fchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "fchownat",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "fcntl",
 			"action": "SCMP_ACT_ALLOW",
@@ -608,16 +556,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "lchown",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "lchown32",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "lgetxattr",
 			"action": "SCMP_ACT_ALLOW",
@@ -713,21 +651,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "mlock",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlock2",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlockall",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",
@@ -1179,11 +1102,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "setdomainname",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "setfsgid",
 			"action": "SCMP_ACT_ALLOW",
@@ -1224,11 +1142,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "sethostname",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "setitimer",
 			"action": "SCMP_ACT_ALLOW",
@@ -1569,11 +1482,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "vhangup",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "vmsplice",
 			"action": "SCMP_ACT_ALLOW",
@@ -1604,23 +1512,70 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "arch_prctl",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "modify_ldt",
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
 		{
-			"name": "breakpoint",
+			"name": "chown",
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
 		{
-			"name": "cacheflush",
+			"name": "chown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "fchown32",
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
 		{
-			"name": "set_tls",
+			"name": "fchownat",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "lchown",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "lchown32",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "chroot",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "clone",
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 2080505856,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_MASKED_EQ"
+				}
+			]
+		},
+		{
+			"name": "fchown",
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		}

diff --git a/profiles/seccomp/generate.go b/profiles/seccomp/generate.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/docker/docker/oci"
 	"github.com/docker/docker/profiles/seccomp"
 )
 
@@ -20,8 +21,10 @@ func main() {
 	}
 	f := filepath.Join(wd, "default.json")
 
+	rs := oci.DefaultSpec()
+
 	// write the default profile to the file
-	b, err := json.MarshalIndent(seccomp.DefaultProfile, "", "\t")
+	b, err := json.MarshalIndent(seccomp.DefaultProfile(&rs), "", "\t")
 	if err != nil {
 		panic(err)
 	}