124 lines
4.5 KiB
Diff
124 lines
4.5 KiB
Diff
From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001
|
|
From: zhongjiawei <zhongjiawei1@huawei.com>
|
|
Date: Fri, 25 Oct 2024 15:00:22 +0800
|
|
Subject: [PATCH] docker:support calling clone when clone3 is not support
|
|
|
|
---
|
|
components/engine/api/types/seccomp.go | 1 +
|
|
components/engine/profiles/seccomp/seccomp.go | 7 +++---
|
|
.../profiles/seccomp/seccomp_default.go | 22 ++++++++++---------
|
|
.../runtime-spec/specs-go/config.go | 1 +
|
|
4 files changed, 18 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go
|
|
index 67a41e1a..0ed7d6ee 100644
|
|
--- a/components/engine/api/types/seccomp.go
|
|
+++ b/components/engine/api/types/seccomp.go
|
|
@@ -86,6 +86,7 @@ type Syscall struct {
|
|
Name string `json:"name,omitempty"`
|
|
Names []string `json:"names,omitempty"`
|
|
Action Action `json:"action"`
|
|
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
|
|
Args []*Arg `json:"args"`
|
|
Comment string `json:"comment"`
|
|
Includes Filter `json:"includes"`
|
|
diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go
|
|
index 4438670a..993e8d87 100644
|
|
--- a/components/engine/profiles/seccomp/seccomp.go
|
|
+++ b/components/engine/profiles/seccomp/seccomp.go
|
|
@@ -128,21 +128,22 @@ Loop:
|
|
}
|
|
|
|
if call.Name != "" {
|
|
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
|
|
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet))
|
|
}
|
|
|
|
for _, n := range call.Names {
|
|
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
|
|
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet))
|
|
}
|
|
}
|
|
|
|
return newConfig, nil
|
|
}
|
|
|
|
-func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
|
|
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall {
|
|
newCall := specs.LinuxSyscall{
|
|
Names: []string{name},
|
|
Action: specs.LinuxSeccompAction(action),
|
|
+ ErrnoRet: errnoRet,
|
|
}
|
|
|
|
// Loop through all the arguments of the syscall and convert them
|
|
diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
|
|
index a90e441c..0b96de5f 100644
|
|
--- a/components/engine/profiles/seccomp/seccomp_default.go
|
|
+++ b/components/engine/profiles/seccomp/seccomp_default.go
|
|
@@ -42,6 +42,7 @@ func arches() []types.Architecture {
|
|
|
|
// DefaultProfile defines the whitelist for the default seccomp profile.
|
|
func DefaultProfile() *types.Seccomp {
|
|
+ nosys := uint(unix.ENOSYS)
|
|
syscalls := []*types.Syscall{
|
|
{
|
|
Names: []string{
|
|
@@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp {
|
|
Arches: []string{"amd64", "x32", "x86"},
|
|
},
|
|
},
|
|
- {
|
|
- Names: []string{
|
|
- "clone3",
|
|
- },
|
|
- Action: types.ActAllow,
|
|
- Args: []*types.Arg{},
|
|
- Includes: types.Filter{
|
|
- Arches: []string{"arm64", "amd64", "x32", "x86"},
|
|
- },
|
|
- },
|
|
{
|
|
Names: []string{
|
|
"s390_pci_mmio_read",
|
|
@@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp {
|
|
Names: []string{
|
|
"bpf",
|
|
"clone",
|
|
+ "clone3",
|
|
"fanotify_init",
|
|
"lookup_dcookie",
|
|
"mount",
|
|
@@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp {
|
|
Caps: []string{"CAP_SYS_ADMIN"},
|
|
},
|
|
},
|
|
+ {
|
|
+ Names: []string{
|
|
+ "clone3",
|
|
+ },
|
|
+ Action: types.ActErrno,
|
|
+ ErrnoRet: &nosys,
|
|
+ Excludes: types.Filter{
|
|
+ Caps: []string{"CAP_SYS_ADMIN"},
|
|
+ },
|
|
+ },
|
|
{
|
|
Names: []string{
|
|
"reboot",
|
|
diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
|
index 46049b3b..8b17fd1e 100644
|
|
--- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
|
+++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
|
@@ -628,6 +628,7 @@ type LinuxSeccompArg struct {
|
|
type LinuxSyscall struct {
|
|
Names []string `json:"names"`
|
|
Action LinuxSeccompAction `json:"action"`
|
|
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
|
|
Args []LinuxSeccompArg `json:"args,omitempty"`
|
|
}
|
|
|
|
--
|
|
2.33.0
|
|
|