Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.
Fix #37897
See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit ccd22ffcc8b564dfc21e7067b5248819d68c56c6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index c0f1405..0d954bb 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -329,7 +329,6 @@
"sync_file_range",
"syncfs",
"sysinfo",
- "syslog",
"tee",
"tgkill",
"time",
@@ -561,6 +560,7 @@
"setdomainname",
"sethostname",
"setns",
+ "syslog",
"umount",
"umount2",
"unshare"
@@ -762,6 +762,20 @@
]
},
"excludes": {}
+ },
+ {
+ "names": [
+ "syslog"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYSLOG"
+ ]
+ },
+ "excludes": {}
}
]
}
\ No newline at end of file
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 25360a1..6055012 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -322,7 +322,6 @@
"sync_file_range",
"syncfs",
"sysinfo",
- "syslog",
"tee",
"tgkill",
"time",
@@ -492,6 +491,7 @@
"setdomainname",
"sethostname",
"setns",
+ "syslog",
"umount",
"umount2",
"unshare",
@@ -642,6 +642,16 @@
Caps: []string{"CAP_SYS_NICE"},
},
},
+ {
+ Names: []string{
+ "syslog",
+ },
+ Action: types.ActAllow,
+ Args: []*types.Arg{},
+ Includes: types.Filter{
+ Caps: []string{"CAP_SYSLOG"},
+ },
+ },
}
return &types.Seccomp{