If possible, apply seccomp rules immediately before exec

See moby/moby#22252 Previously we would apply seccomp rules before applying capabilities, because it requires CAP_SYS_ADMIN. This however means that a seccomp profile needs to allow operations such as setcap() and setuid() which you might reasonably want to disallow. If prctl(PR_SET_NO_NEW_PRIVS) has been applied however setting a seccomp filter is an unprivileged operation. Therefore if this has been set, apply the seccomp filter as late as possible, after capabilities have been dropped and the uid set. Note a small number of syscalls will take place after the filter is applied, such as `futex`, `stat` and `execve`, so these still need to be allowed in addition to any the program itself needs. Signed-off-by: Justin Cormack <[email protected]>
opencontainers · Apr 27, 2016 · e18de63 · e18de63
1 parent 07d062b
commit e18de63
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -123,7 +123,10 @@ func (l *linuxStandardInit) Init() error {
 	if err := syncParentReady(l.pipe); err != nil {
 		return err
 	}
-	if l.config.Config.Seccomp != nil {
+	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
+	// do this before dropping capabilities; otherwise do it as late as possible
+	// just before execve so as few syscalls take place after it as possible.
+	if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
 		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
 			return err
 		}
@@ -142,6 +145,11 @@ func (l *linuxStandardInit) Init() error {
 	if syscall.Getppid() != l.parentPid {
 		return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
 	}
+	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+			return err
+		}
+	}
 
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }