我有这个seccomp个人资料:
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ERRNO",
"args": []
} }
[当使用它过滤高山或busybox容器上的系统调用时,它可以工作
docker run -it --security-opt seccomp=profile.json busybox /bin/sh
// chmod 777 /etc/hosts
// Error: operation not permitted
但是它对ubuntu无效:18.04
docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh
// chmod 777 /etc/hosts
// Success
Docker版本为19.03.8
有人遇到这个问题吗?
从docker-lab起,您似乎还缺少两个属性,无法使其在Linux上正常工作
default-no-chmod.json配置文件是对default.json配置文件的修改,从其白名单中删除了
chmod()
,fchmod()
和chmodat()
系统调用。
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "fchmod",
"action": "SCMP_ACT_ERRNO",
"args": [
]
},
{
"name": "fchmodat",
"action": "SCMP_ACT_ERRNO",
"args": [
]
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ERRNO",
"args": []
}]
}
现在,如果您从ubuntu尝试,您将获得预期的结果
docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh -c " chmod +x /etc/hosts"
chmod: changing permissions of '/etc/hosts': Operation not permitted
同样,busybox的结果相同
docker run -it --security-opt seccomp=profile.json busybox /bin/sh -c " chmod +x /etc/host"
chmod: /etc/host: No such file or directory