Skip to content

[release/2.3] seccomp: Block AF_ALG in default socket policy#13409

Merged
mxpv merged 2 commits into
containerd:release/2.3from
k8s-infra-cherrypick-robot:cherry-pick-13327-to-release/2.3
May 14, 2026
Merged

[release/2.3] seccomp: Block AF_ALG in default socket policy#13409
mxpv merged 2 commits into
containerd:release/2.3from
k8s-infra-cherrypick-robot:cherry-pick-13327-to-release/2.3

Conversation

@k8s-infra-cherrypick-robot

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot commented May 14, 2026
edited by samuelkarp
Loading

Copy link
Copy Markdown

This is an automated cherry-pick of #13327

/assign AkihiroSuda

Apply hardening to default seccomp socket policy by blocking AF_ALG

vvoland added 2 commits May 14, 2026 18:06
@vvoland
seccomp: Document socket rule scope and socketcall limitation
2ed0d97 
Add a comment explaining the purpose of the socket rules and noting that
on 32-bit x86, socket() goes through socketcall(2) which is allowed
unconditionally, so these arg filters only apply to the direct socket
syscall.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland
seccomp: Block AF_ALG in default socket policy
4d80a31 
AF_ALG (address family 38) exposes the Linux kernel crypto API to
userspace via socket(2). Containers have no legitimate need for this
interface under the default profile, and leaving it accessible widens
the kernel attack surface unnecessarily (see https://copy.fail/).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request May 14, 2026
Merged
@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review May 14, 2026
@AkihiroSuda AkihiroSuda mentioned this pull request May 14, 2026
Merged
@github-project-automation github-project-automation Bot moved this from Needs Triage to Review In Progress in Pull Request Review May 14, 2026
@mxpv mxpv merged commit 85f22f7 into containerd:release/2.3 May 14, 2026
135 of 138 checks passed
@github-project-automation github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review May 14, 2026
@BrewTestBot BrewTestBot mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxpv mxpv mxpv approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

@AkihiroSuda AkihiroSuda

Labels

area/runtime Runtime impact/changelog size/M

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@k8s-infra-cherrypick-robot @mxpv @AkihiroSuda @samuelkarp @k8s-ci-robot @vvoland