From 0a0241a857e9e25a99e4afc2f679bb5e750ae0cd Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 10 Dec 2023 11:48:02 -0500 Subject: [PATCH] Disallow mount-related system calls These should be blocked by not having CAP_SYS_ADMIN, but better safe than sorry. --- runtime/init-container/src/seccomp.c | 34 ++++++++++++++-------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/runtime/init-container/src/seccomp.c b/runtime/init-container/src/seccomp.c index 7017554b..08879927 100644 --- a/runtime/init-container/src/seccomp.c +++ b/runtime/init-container/src/seccomp.c @@ -90,11 +90,7 @@ static const char *allow_syscalls[] = { "flock", "fork", "fremovexattr", - "fsconfig", "fsetxattr", - "fsmount", - "fsopen", - "fspick", "fstat", "fstat64", "fstatat64", @@ -189,9 +185,6 @@ static const char *allow_syscalls[] = { "mlockall", "mmap", "mmap2", - "mount", - "mount_setattr", - "move_mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -385,8 +378,6 @@ static const char *allow_syscalls[] = { "truncate64", "ugetrlimit", "umask", - "umount", - "umount2", "uname", "unlink", "unlinkat", @@ -417,10 +408,19 @@ static const char *x86_syscalls[] = { static const char *eperm_syscalls[] = { "bdflush", + "bpf", + "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", "io_pgetevents", "kexec_file_load", "kexec_load", "migrate_pages", + "mount", + "mount_setattr", + "move_mount", "move_pages", "nfsservctl", "nice", @@ -432,26 +432,26 @@ static const char *eperm_syscalls[] = { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", "sgetmask", "ssetmask", "swapcontext", "swapoff", "swapon", "sysfs", + "umount", + "umount2", + "unshare", "uselib", "userfaultfd", "ustat", "vm86", "vm86old", "vmsplice", - "bpf", - "fanotify_init", - "perf_event_open", - "quotactl", - "setdomainname", - "sethostname", - "setns", - "unshare", }; #define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))