seccomp: ptrace(2) should be allowed by default for kernel >= 4.8

[AkihiroSuda]

Description

Moby allows ptrace(2) by default for kernel >= 4.8:
https://github.com/moby/moby/blob/v20.10.14/profiles/seccomp/default_linux.go#L393-L399

containerd does not: https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go

Steps to reproduce the issue

1. See the code above

Describe the results you received and expected

received: ptrace(2) is allowed only when CAP_SYS_PTRACE is granted
expected: ptrace(2) should be allowed by default for kernel >= 4.8

What version of containerd are you using?

1.6.2

Any other relevant information

No response

Show configuration if it is related to CRI plugin.

No response

[patryk4815]

they allowing this because of CVE-2019-2054 or something like that.

[AkihiroSuda]

they allowing this because of CVE-2019-2054 or something like that.

For this CVE we have to block ptrace(2) for kernel < 4.8, but ptrace(2) is considered to be safe for kernel >= 4.8.

[disconnect3d]

To elaborate a little more: Moby has this notion of relaxing the seccomp policy (allowing syscalls) when certain capabilities are added. This is done in https://github.com/moby/moby/blob/v20.10.14/profiles/seccomp/default_linux.go#L645-L659

[AkihiroSuda]

To elaborate a little more: Moby has this notion of relaxing the seccomp policy (allowing syscalls) when certain capabilities are added. This is done in https://github.com/moby/moby/blob/v20.10.14/profiles/seccomp/default_linux.go#L645-L659

This has been already implemented in containerd too , and unrelated to the OP.

containerd/contrib/seccomp/seccomp_default.go

Lines 592 to 604 in eaf2862

	case "CAP_SYS_PTRACE":
	s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
	Names: []string{
	"kcmp",
	"pidfd_getfd",
	"process_madvise",
	"process_vm_readv",
	"process_vm_writev",
	"ptrace",
	},
	Action: specs.ActAllow,
	Args: []specs.LinuxSeccompArg{},
	})