我有这个seccomp配置文件:
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ERRNO",
"args": []
} }
当使用它过滤高山或busybox容器上的系统调用时,它可以工作
docker run -it --security-opt seccomp=profile.json busybox /bin/sh
// chmod 777 /etc/hosts
// Error: operation not permitted
但这对ubuntu没有影响:18.04
docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh
// chmod 777 /etc/hosts
// Success
Docker版本为19.03.8
有没有人遇到这个问题?
从docker-lab看来,您似乎缺少了另外两个属性以使其在Linux上正常工作
默认-NO-chmod.json轮廓是default.json轮廓的变形例>与
chmod()
,fchmod()
,和chmodat()
系统调用从其白名单中删除。
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "fchmod",
"action": "SCMP_ACT_ERRNO",
"args": [
]
},
{
"name": "fchmodat",
"action": "SCMP_ACT_ERRNO",
"args": [
]
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ERRNO",
"args": []
}]
}
现在,如果您从ubuntu尝试过,您将获得预期的结果
docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh -c " chmod +x /etc/hosts"
chmod: changing permissions of '/etc/hosts': Operation not permitted
此外,busybox的结果相同
docker run -it --security-opt seccomp=profile.json busybox /bin/sh -c " chmod +x /etc/host"
chmod: /etc/host: No such file or directory
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句