Skip to content

seccomp v0.2.1

Choose a tag to compare

View all tags
@vvoland vvoland released this 30 Apr 23:10
· 8 commits to main since this release
seccomp/v0.2.1
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
5ad5f40
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

  • Block AF_ALG sockets in the default seccomp profile

    AF_ALG (address family 38) exposes the Linux kernel crypto API to userspace
    via socket(2). Containers have no legitimate need for this interface under
    the default profile, and leaving it accessible widens the kernel attack surface
    unnecessarily. See copy.fail for a practical demonstration of AF_ALG
    exploitation to achieve container escape.

    The previous socket rule used a single arg0 != AF_VSOCK condition. Adding a
    second OpNotEqual for AF_ALG does not work because seccomp evaluates multiple
    argument conditions within a single rule as a logical AND against the same
    argument index. Instead, the socket allowlist is restructured into three
    range-based rules that cover every domain except AF_ALG (38) and AF_VSOCK (40):

    1. Allow socket when arg0 < 38 (all families below AF_ALG)
    2. Allow socket when arg0 == 39 (the single family between them)
    3. Allow socket when arg0 > 40 (all families above AF_VSOCK)

    Domains 38 and 40 match none of the three rules and fall through to the
    profile's default SCMP_ACT_ERRNO action.

Full Changelog: seccomp/v0.2.0...seccomp/v0.2.1

Assets 2
Loading