seccomp: allow ptrace(2) for 4.8+ kernels

[tonistiigi]

4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.

torvalds/linux@93e35ef

Signed-off-by: Tonis Tiigi tonistiigi@gmail.com

[tonistiigi]

cc @justincormack @jessfraz

[codecov]

Codecov Report

Merging #38137 into master will decrease coverage by 0.43%.
The diff coverage is 30.76%.

@@            Coverage Diff             @@
##           master   #38137      +/-   ##
==========================================
- Coverage   36.55%   36.12%   -0.44%     
==========================================
  Files         610      610              
  Lines       45275    45242      -33     
==========================================
- Hits        16551    16342     -209     
- Misses      26394    26656     +262     
+ Partials     2330     2244      -86

[thaJeztah]

I know generally we tried to avoid kernel version checks; Will this be an issue if distros backport this fix? (i.e., would there be another approach so that the default could manually be overridden at compile time?)

[tonistiigi]

If a distro backports they will just not get the ptrace support even if it may be secure for their kernel as well. User can still fix it in that case by providing a custom profile or upgrading the kernel. 4.8 is documented the switch point on the man page. Even if I would dynamically detect the behavior of the current system there is no way to mark that condition in the profile.

[thaJeztah]

Yeah, not sure if there's a cleaner solution. Was just thinking if (e.g.) Red Hat decides to backport, and Docker wants to ship Docker EE packages for RHEL with a correct profile

[justincormack]

You can ship a different default profile anyway, so I don't think this is an issue.

[abudnik]

In theory, we might want to specify a range or list of ranges of kernel versions, e.g. ["4.4.0", null], [null, "4.4.0"], [["3.16.0", "4.4.0"], ...]. It would be great to consider adding ranges into the current Seccomp profile format, so that it will be easier to implement ranges in the future in a backward-compatible way.

[abudnik]

Consider using empty array [] instead of null for consistency.

[tonistiigi]

I can change it to any syntax that maintainers like to have. The current one came from discussing different variants (including the range one) with @justincormack

[cpuguy83]

I'm fine with this.

[abudnik]

Ranges format makes sense if some severe bug appeared on some kernel version A and fixed later on some version B.

If adding ranges format in the future is not hard and is backward-compatible, then I have nothing against the current format : )

[tonistiigi]

ping @justincormack @tiborvass

[tiborvass]

Approving this after talking with @ncopa. He's also warning about abuse of the kernel version field.

[justincormack]

not sure I like defining local closures like this, can you just make it a helper function external to this? (yes, Go should allow local functions...)

[justincormack]

in the error case should we not just include the rule anyway? ie fail closed not error.

[tonistiigi]

This should fail only in the case where profile had a version that couldn't be parsed. I think that case is similar to the other validation, eg. the call.Names check.

[justincormack]

Technically the kernel version is 4.8, there is not a 4.8.0 release, ir goes 4.8, 4.8.1...

[justincormack]

This should have a test.

[justincormack]

Some comments but LGTM generally. Note that some uses for ptrace will still be blocked by CAP_PTRACE and maybe Yama kernel module, but basic debug etc should work.

[tonistiigi]

@justincormack For the test, what kind are you expecting. A unit test of some component? Integration seems tricky as this behavior is very much host dependent.

[tonistiigi]

@justincormack And just to confirm, no ranges like #38137 (comment) , right? I'd be fine with adding it. It could be useful in the case where a syscall becomes broken in a future version, and a seccomp profile could block that without upgrading the daemon.

[tonistiigi]

ping @justincormack

[abudnik]

@tonistiigi Does the current default Docker Seccomp profile allows ptrace syscall on kernel 4.8+ even thought a container user does not have CAP_SYS_PTRACE capability?

		{
			"names": [
				"ptrace"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": null,
			"comment": "",
			"includes": {
				"minKernel": "4.8"
			},
			"excludes": {}
		},
...
		{
			"names": [
				"kcmp",
				"process_vm_readv",
				"process_vm_writev",
				"ptrace"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_PTRACE"
				]
			},
			"excludes": {}
		},

[tonistiigi]

@abudnik This PR is not in any release version of Docker yet. Next version 19.03 should allow it.

[abudnik]

@tonistiigi Previously, a default profile allowed ptrace syscall only when CAP_SYS_PTRACE capability was enabled for a process. After this change, it seems that ptrace is allowed for a non-privileged containers on Linux 4.8+. Can this lead to a security issue?

[tonistiigi]

@abudnik No it shouldn't. ptrace was blocked in seccomp because kernels before 4.8 allowed to use it for insecure things. But these have been fixed now (see linked commit) so if we know we are on the updated kernel we can allow it. ptrace is still protected by the regular kernel checks for specific arguments(eg. it will not give you same level of controls as CAP_SYS_PTRACE). If you think we might have missed something, let us know.

[AkihiroSuda]

Wondering this should be disabled when --pid=host
WDYT?

[tonistiigi]

I guess pid=host is already considered insecure as far as visibility into host processes is concerned. (cc @justincormack )

edit: and actually I'm not sure if this exposes anything very bad. You still don't have CAP_PTRACE .