From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Fri, 25 Oct 2024 15:00:22 +0800 Subject: [PATCH] docker:support calling clone when clone3 is not support --- components/engine/api/types/seccomp.go | 1 + components/engine/profiles/seccomp/seccomp.go | 7 +++--- .../profiles/seccomp/seccomp_default.go | 22 ++++++++++--------- .../runtime-spec/specs-go/config.go | 1 + 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go index 67a41e1a..0ed7d6ee 100644 --- a/components/engine/api/types/seccomp.go +++ b/components/engine/api/types/seccomp.go @@ -86,6 +86,7 @@ type Syscall struct { Name string `json:"name,omitempty"` Names []string `json:"names,omitempty"` Action Action `json:"action"` + ErrnoRet *uint `json:"errnoRet,omitempty"` Args []*Arg `json:"args"` Comment string `json:"comment"` Includes Filter `json:"includes"` diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go index 4438670a..993e8d87 100644 --- a/components/engine/profiles/seccomp/seccomp.go +++ b/components/engine/profiles/seccomp/seccomp.go @@ -128,21 +128,22 @@ Loop: } if call.Name != "" { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args)) + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet)) } for _, n := range call.Names { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args)) + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet)) } } return newConfig, nil } -func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall { +func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall { newCall := specs.LinuxSyscall{ Names: []string{name}, Action: specs.LinuxSeccompAction(action), + ErrnoRet: errnoRet, } // Loop through all the arguments of the syscall and convert them diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go index a90e441c..0b96de5f 100644 --- a/components/engine/profiles/seccomp/seccomp_default.go +++ b/components/engine/profiles/seccomp/seccomp_default.go @@ -42,6 +42,7 @@ func arches() []types.Architecture { // DefaultProfile defines the whitelist for the default seccomp profile. func DefaultProfile() *types.Seccomp { + nosys := uint(unix.ENOSYS) syscalls := []*types.Syscall{ { Names: []string{ @@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp { Arches: []string{"amd64", "x32", "x86"}, }, }, - { - Names: []string{ - "clone3", - }, - Action: types.ActAllow, - Args: []*types.Arg{}, - Includes: types.Filter{ - Arches: []string{"arm64", "amd64", "x32", "x86"}, - }, - }, { Names: []string{ "s390_pci_mmio_read", @@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp { Names: []string{ "bpf", "clone", + "clone3", "fanotify_init", "lookup_dcookie", "mount", @@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp { Caps: []string{"CAP_SYS_ADMIN"}, }, }, + { + Names: []string{ + "clone3", + }, + Action: types.ActErrno, + ErrnoRet: &nosys, + Excludes: types.Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, { Names: []string{ "reboot", diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 46049b3b..8b17fd1e 100644 --- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -628,6 +628,7 @@ type LinuxSeccompArg struct { type LinuxSyscall struct { Names []string `json:"names"` Action LinuxSeccompAction `json:"action"` + ErrnoRet *uint `json:"errnoRet,omitempty"` Args []LinuxSeccompArg `json:"args,omitempty"` } -- 2.33.0