New seccomp json format

[runcom]

- What I did

Note that this change is fully backward compatible, people can still use the current seccomp profile json format

I've modified the json seccomp profile format to be more expressive and to allow conditionals with filters. Syscall names can now also be grouped together if they have same action,args,includes,excludes. includes are ORed while excludes are any of. Conditionals can be expressed on architectures and capabilities also. See following examples of new format:

{
    "archMap": [{
        "architecture": "SCMP_ARCH_X86_64",
        "subArchitectures": [
            "SCMP_ARCH_X86",
            "SCMP_ARCH_X32"
        ]
    }],
    "syscalls": [{
        "names": [
            "accept",
            "accept4",
            "access",
            "alarm",
            "alarm",
            "bind",
            "brk",
            "capget",
            "capset",
            "chdir",
            "chmod"
        ],
        "action": "SCMP_ACT_ALLOW",
        "args": [],
        "comment": "this is a comment!",
        "includes": {},
        "excludes": {}
    }, {
        "names": [
            "iopl",
            "ioperm"
        ],
        "action": "SCMP_ACT_ALLOW",
        "args": [],
        "comment": "",
        "includes": {
            "caps": [
                "CAP_SYS_RAWIO"
            ]
        },
        "excludes": {}
    }, {
        "names": [
            "clone"
        ],
        "action": "SCMP_ACT_ALLOW",
        "args": [{
            "index": 1,
            "value": 2080505856,
            "valueTwo": 0,
            "op": "SCMP_CMP_MASKED_EQ"
        }],
        "comment": "",
        "includes": {
            "arches": [
                "s390",
                "s390x"
            ]
        },
        "excludes": {
            "caps": [
                "CAP_SYS_ADMIN"
            ]
        }
    }]
}

- How I did it

vim

- How to verify it

You can run containers with --seccomp-profile=$DOCKERSRC/profiles/seccomp/default.json and tweak it to verify seccomp rules are ok when running containers.

- Description for the changelog

New seccomp json format

- A picture of a cute animal (not mandatory but encouraged)

Following from #24221, this is a proposal about defining a new and more expressive (even if more verbose) seccomp json profile.

/cc @justincormack @jfrazelle @rhatdan @mheon @thaJeztah @LK4D4

TODO:

the stuff I've removed from this list should be done in a follow up or re-writing #24221

• re-generate profiles/seccomp/default.json
• changes in docker/engine-api after design-review PR types: new seccomp format docker-archive-public/docker.engine-api#313
• add forward compatibility of the old json profile
• documentation
• moar tests
• hash based check to detect if running with Docker's default profile
• docker info enhancement from daemon: add a flag to override the default seccomp profile #24221
• teach the daemon to read from /etc/docker/seccomp.json daemon: add a flag to override the default seccomp profile #24221 (comment) instead of embedding the profile in code (might actually be still ok to override in daemon?)

NOTE: it's not as big as it seems, the actual files changed are just 7, the rest is syscall definitions and the json 😸

Signed-off-by: Antonio Murdaca runcom@redhat.com

[thaJeztah]

thanks @runcom

[runcom]

failing tests are about the forward compatibility of the old profile - I'll fix them

[runcom]

CI should be now failing only on vendor (except flakes of course)

(I don't remember what status/failing-ci is for, was it for flakes right? otherwise I can see if a PR has failing CI by just looking at the global Pull Requests page looking for a red cross)

[justincormack]

cc @jfrazelle as well

[runcom]

just a note, names are really arbitrary (includes, excludes are ugly to me) but didn't find any better, feel free to suggest others

[runcom]

/cc'ing @cyphar as well

[justincormack]

Can you add a comment here eg "s390 parameter ordering for clone is different" as we have comments!

[runcom]

ping @justincormack

[runcom]

@thaJeztah @justincormack @icecrime are there any plan to have this in 1.13?

[justincormack]

Yes definitely. I think its fine now. Was going to add a few more tests but
can do after merge.

LGTM.

[justincormack]

engine-api change merged so you can fix vendoring

[runcom]

@justincormack doing it right now - though, talking to @vdemeester to create another PR because the vendoring changes a lot in docker/docker overall and probably needs its own PR

[justincormack]

@runcom yes that makes sense

[runcom]

@justincormack @vdemeester removed the vendor commit and created #26200 - I'll rebase this one after that's merged.

[runcom]

@justincormack @vdemeester rebased after #26200 merge

[justincormack]

Needs some more LGTM cc @estesp @vdemeester

[vdemeester]

LGTM 🐸

[justincormack]

cc @cpuguy83

[justincormack]

All green...

[cyphar]

🎉

[nodakai]

I spotted an incoherency in the expected JSON format:

    "archMap": [{
        "architecture": "SCMP_ARCH_X86_64",
        "subArchitectures": [
            "SCMP_ARCH_X86",
            "SCMP_ARCH_X32"
        ]
    }],
...
        "includes": {
            "arches": [
                "s390",
                "s390x"
            ]
        },

That is, includes/excludes.arches take strings a la ScmpArch.String() which don't follow the SCMP_ARCH_* style (e.g. amd64 vs. SCMP_ARCH_X86_64.)

[thaJeztah]

@nodakai could you open a separate issue for discussing? (Also what you think it should looks like?)