Skip to content

[release/1.7] seccomp: Block AF_ALG in default socket policy#13406

Merged
fuweid merged 2 commits into
containerd:release/1.7from
k8s-infra-cherrypick-robot:cherry-pick-13327-to-release/1.7
May 15, 2026
Merged

[release/1.7] seccomp: Block AF_ALG in default socket policy#13406
fuweid merged 2 commits into
containerd:release/1.7from
k8s-infra-cherrypick-robot:cherry-pick-13327-to-release/1.7

Conversation

@k8s-infra-cherrypick-robot

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot commented May 14, 2026
edited by samuelkarp
Loading

Copy link
Copy Markdown

This is an automated cherry-pick of #13327

/assign AkihiroSuda

Apply hardening to block AF_ALG in default socket policy

vvoland added 2 commits May 14, 2026 18:04
@vvoland
seccomp: Document socket rule scope and socketcall limitation
4627a65 
Add a comment explaining the purpose of the socket rules and noting that
on 32-bit x86, socket() goes through socketcall(2) which is allowed
unconditionally, so these arg filters only apply to the direct socket
syscall.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland
seccomp: Block AF_ALG in default socket policy
e55b747 
AF_ALG (address family 38) exposes the Linux kernel crypto API to
userspace via socket(2). Containers have no legitimate need for this
interface under the default profile, and leaving it accessible widens
the kernel attack surface unnecessarily (see https://copy.fail/).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review May 14, 2026
@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request May 14, 2026
Merged
@github-project-automation github-project-automation Bot moved this from Needs Triage to Review In Progress in Pull Request Review May 14, 2026
@samuelkarp samuelkarp moved this from Review In Progress to Merge on Green in Pull Request Review May 14, 2026
@github-project-automation github-project-automation Bot moved this from Merge on Green to Review In Progress in Pull Request Review May 15, 2026
@fuweid fuweid merged commit 9c3d01b into containerd:release/1.7 May 15, 2026
91 of 92 checks passed
@github-project-automation github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review May 15, 2026
@samuelkarp samuelkarp mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@fuweid fuweid fuweid approved these changes

@chrishenzie chrishenzie Awaiting requested review from chrishenzie chrishenzie is a code owner

Assignees

@AkihiroSuda AkihiroSuda

Labels

area/runtime Runtime impact/changelog size/M

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@k8s-infra-cherrypick-robot @samuelkarp @AkihiroSuda @fuweid @k8s-ci-robot @vvoland