Skip to content

[release-1.29] Block clone with namespace flag in seccomp default profile #8569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 19, 2024
Merged

[release-1.29] Block clone with namespace flag in seccomp default profile #8569

merged 3 commits into from
Sep 19, 2024

Conversation

@kwilczynski
Copy link
Contributor

This is a manual cherry-pick of #8514

/assign kwilczynski

The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses.

@kwilczynski kwilczynski requested a review from mrunalp as a code owner September 6, 2024 20:52
@openshift-ci openshift-ci bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Sep 6, 2024
@openshift-ci openshift-ci bot requested review from QiWang19 and hasan4791 September 6, 2024 20:53
@openshift-ci openshift-ci bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Sep 6, 2024
@kwilczynski kwilczynski changed the title Block clone with namespace flag in seccomp default profile [release-1.29] Block clone with namespace flag in seccomp default profile Sep 6, 2024
@kwilczynski
Copy link
Contributor Author

/approve

@kwilczynski kwilczynski force-pushed the feature/backport-8514-to-release-1.29 branch from 8a21e21 to 9e64b1e Compare September 7, 2024 15:15
@codecov
Copy link

codecov bot commented Sep 7, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 79.71014% with 14 lines in your changes missing coverage. Please review.

Project coverage is 48.34%. Comparing base (b188424) to head (12d7b60).
Report is 59 commits behind head on release-1.29.

Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.29    #8569      +/-   ##
================================================
+ Coverage         48.20%   48.34%   +0.13%     
================================================
  Files               145      145              
  Lines             16452    16577     +125     
================================================
+ Hits               7931     8014      +83     
- Misses             7546     7585      +39     
- Partials            975      978       +3

@kwilczynski
Copy link
Contributor Author

Related:

@kwilczynski
Copy link
Contributor Author

@cri-o/cri-o-maintainers, please have a look. Thank you!

@haircommander
Copy link
Member

needs rebase

dgl and others added 2 commits September 19, 2024 03:52
@dgl
Filter namespace creation args to clone in default seccomp policy
9f4862b 
Currently unshare is filtered by the seccomp policy mutator, but clone
isn't. This filters args to clone that can create a namespace, blocking
both ways of creating a namespace. This also unfortunately means clone3
has to be entirely disabled, because it's not possible to filter the
struct with cBPF.

Signed-off-by: David Leadbeater <[email protected]>
@PannagaRao
Modify test case to verify blocking of clone
aca5a5f 
Co-authored-by: PannagaRamamanohara <[email protected]>
Co-authored-by: Ayato Tokubi <[email protected]>

Signed-off-by: Ayato Tokubi <[email protected]>
@kwilczynski kwilczynski force-pushed the feature/backport-8514-to-release-1.29 branch from 12d7b60 to 2eee205 Compare September 18, 2024 18:52
@kwilczynski
Copy link
Contributor Author

Rebase done.

@bitoku
refactor seccomp
9dfbe32 
Signed-off-by: Ayato Tokubi <[email protected]>
@kwilczynski kwilczynski force-pushed the feature/backport-8514-to-release-1.29 branch from 2eee205 to 9dfbe32 Compare September 18, 2024 19:07
@haircommander
Copy link
Member

/approve
/lgtm

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 18, 2024
@kwilczynski
Copy link
Contributor Author

@cri-o/cri-o-maintainers, please have a look again. Thank you!

saschagrunert
saschagrunert approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/retest

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, kwilczynski, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [haircommander,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit ea41abd into cri-o:release-1.29 Sep 19, 2024
45 of 46 checks passed
@kwilczynski kwilczynski deleted the feature/backport-8514-to-release-1.29 branch September 19, 2024 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

@QiWang19 QiWang19 Awaiting requested review from QiWang19

Assignees

@kwilczynski kwilczynski

@saschagrunert saschagrunert

@haircommander haircommander

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@kwilczynski @haircommander @saschagrunert @dgl @PannagaRao @bitoku