!60 docker:update seccomp whitelist to Linux 5.10 syscall list

From: @Vanient Reviewed-by: @jing-rui,@duguhaotian Signed-off-by: @duguhaotian
2021-09-27 06:35:52 +00:00 · 2021-09-27 06:35:52 +00:00 · a9202c81bb
commit a9202c81bb
parent fb04089b4a 447f294a20
6 changed files with 232 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.117
+18.09.0.118
--- a/docker.spec
+++ b/docker.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 117
+Release: 118
 Summary: The open-source application container engine
 Group: Tools/Docker

@ -211,6 +211,12 @@ fi
 %endif

 %changelog
+* Sun Sep 26 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-118
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:update seccomp whitelist to Linux 5.10 syscall list
+
 * Tue Aug 31 2021 WangFengTu<wangfengtu@huawei.com> - 18.09.0-117
 - Type:bugfix
 - CVE:NA
--- a/2
+++ b/2
@ -1 +1 @@
-1c709d95951a0faeafc3a13fe01473a77d6ff42c
+83b0845432ba7ae940cf3276334608b30e43b05a
--- a/patch/0193-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
+++ b/patch/0193-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
@ -0,0 +1,30 @@
+From 376f6a9de2dcbf9605c23409a880eb3534af6ffa Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Wed, 8 Sep 2021 09:04:31 +0800
+Subject: [PATCH] docker: add clone3 to seccomp whitelist to fix curl failed in
+ X86
+
+After kernel upgrade to 5.10, clone3 is defined. But if clone3 is not added
+to docker seccomp whitelist, clone3 calling will be rejected in container, which
+causes some commands like curl returns error.
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ components/engine/profiles/seccomp/seccomp_default.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index 60550124..ac81c2e0 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -449,6 +449,7 @@ func DefaultProfile() *types.Seccomp {
+ 		{
+ 			Names: []string{
+ 				"modify_ldt",
+				"clone3",
+ 			},
+ 			Action: types.ActAllow,
+ 			Args:   []*types.Arg{},
+-- 
+2.27.0
+
--- a/patch/0194-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
+++ b/patch/0194-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
@ -0,0 +1,191 @@
+From 7bc9a315e181d6925a4ffe7702a25d3ac90ef5ab Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Sun, 26 Sep 2021 05:45:02 +0800
+Subject: [PATCH] docker:update seccomp whitelist to Linux 5.10 syscall list
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ .../profiles/seccomp/seccomp_default.go       | 39 +++++++++++++++++--
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index ac81c2e0e9..2c6706237d 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -58,10 +58,16 @@ func DefaultProfile() *types.Seccomp {
+ 				"chmod",
+ 				"chown",
+ 				"chown32",
+				"clock_adjtime",
+				"clock_adjtime64",
+ 				"clock_getres",
+				"clock_getres_time64",
+ 				"clock_gettime",
+				"clock_gettime64",
+ 				"clock_nanosleep",
+				"clock_nanosleep_time64",
+ 				"close",
+				"close_range",
+ 				"connect",
+ 				"copy_file_range",
+ 				"creat",
+@@ -73,6 +79,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"epoll_ctl",
+ 				"epoll_ctl_old",
+ 				"epoll_pwait",
+				"epoll_pwait2",
+ 				"epoll_wait",
+ 				"epoll_wait_old",
+ 				"eventfd",
+@@ -82,6 +89,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"exit",
+ 				"exit_group",
+ 				"faccessat",
+				"faccessat2",
+ 				"fadvise64",
+ 				"fadvise64_64",
+ 				"fallocate",
+@@ -110,6 +118,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"ftruncate",
+ 				"ftruncate64",
+ 				"futex",
+				"futex_time64",
+ 				"futimesat",
+ 				"getcpu",
+ 				"getcwd",
+@@ -155,10 +164,15 @@ func DefaultProfile() *types.Seccomp {
+ 				"ioctl",
+ 				"io_destroy",
+ 				"io_getevents",
+				"io_pgetevents",
+				"io_pgetevents_time64",
+ 				"ioprio_get",
+ 				"ioprio_set",
+ 				"io_setup",
+ 				"io_submit",
+				"io_uring_enter",
+				"io_uring_register",
+				"io_uring_setup",
+ 				"ipc",
+ 				"kill",
+ 				"lchown",
+@@ -176,6 +190,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"lstat",
+ 				"lstat64",
+ 				"madvise",
+				"membarrier",
+ 				"memfd_create",
+ 				"mincore",
+ 				"mkdir",
+@@ -192,7 +207,9 @@ func DefaultProfile() *types.Seccomp {
+ 				"mq_notify",
+ 				"mq_open",
+ 				"mq_timedreceive",
+				"mq_timedreceive_time64",
+ 				"mq_timedsend",
+				"mq_timedsend_time64",
+ 				"mq_unlink",
+ 				"mremap",
+ 				"msgctl",
+@@ -208,17 +225,22 @@ func DefaultProfile() *types.Seccomp {
+ 				"_newselect",
+ 				"open",
+ 				"openat",
+				"openat2",
+ 				"pause",
+				"pidfd_open",
+				"pidfd_send_signal",
+ 				"pipe",
+ 				"pipe2",
+ 				"poll",
+ 				"ppoll",
+				"ppoll_time64",
+ 				"prctl",
+ 				"pread64",
+ 				"preadv",
+ 				"preadv2",
+ 				"prlimit64",
+ 				"pselect6",
+				"pselect6_time64",
+ 				"pwrite64",
+ 				"pwritev",
+ 				"pwritev2",
+@@ -230,6 +252,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"recv",
+ 				"recvfrom",
+ 				"recvmmsg",
+				"recvmmsg_time64",
+ 				"recvmsg",
+ 				"remap_file_pages",
+ 				"removexattr",
+@@ -238,6 +261,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"renameat2",
+ 				"restart_syscall",
+ 				"rmdir",
+				"rseq",
+ 				"rt_sigaction",
+ 				"rt_sigpending",
+ 				"rt_sigprocmask",
+@@ -245,6 +269,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"rt_sigreturn",
+ 				"rt_sigsuspend",
+ 				"rt_sigtimedwait",
+				"rt_sigtimedwait_time64",
+ 				"rt_tgsigqueueinfo",
+ 				"sched_getaffinity",
+ 				"sched_getattr",
+@@ -253,6 +278,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"sched_get_priority_min",
+ 				"sched_getscheduler",
+ 				"sched_rr_get_interval",
+				"sched_rr_get_interval_time64",
+ 				"sched_setaffinity",
+ 				"sched_setattr",
+ 				"sched_setparam",
+@@ -264,6 +290,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"semget",
+ 				"semop",
+ 				"semtimedop",
+				"semtimedop_time64",
+ 				"send",
+ 				"sendfile",
+ 				"sendfile64",
+@@ -306,6 +333,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"sigaltstack",
+ 				"signalfd",
+ 				"signalfd4",
+				"sigprocmask",
+ 				"sigreturn",
+ 				"socket",
+ 				"socketcall",
+@@ -327,12 +355,16 @@ func DefaultProfile() *types.Seccomp {
+ 				"time",
+ 				"timer_create",
+ 				"timer_delete",
+-				"timerfd_create",
+-				"timerfd_gettime",
+-				"timerfd_settime",
+ 				"timer_getoverrun",
+ 				"timer_gettime",
+				"timer_gettime64",
+ 				"timer_settime",
+				"timer_settime64",
+				"timerfd_create",
+				"timerfd_gettime",
+				"timerfd_gettime64",
+				"timerfd_settime",
+				"timerfd_settime64",
+ 				"times",
+ 				"tkill",
+ 				"truncate",
+@@ -344,6 +376,7 @@ func DefaultProfile() *types.Seccomp {
+ 				"unlinkat",
+ 				"utime",
+ 				"utimensat",
+				"utimensat_time64",
+ 				"utimes",
+ 				"vfork",
+ 				"vmsplice",
+-- 
+2.27.0
+
--- a/series.conf
+++ b/series.conf
@ -190,4 +190,6 @@ patch/0189-docker-fix-Access-to-remapped-root-allows-privilege-.patch
 patch/0190-docker-fix-CVE-2021-21285.patch
 patch/0191-rollback-if-docker-restart-when-doing-BlkDiscard.patch
 patch/0192-fix-dangling-unpigz.patch
+patch/0193-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
+patch/0194-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
 #end