Merge pull request #694 from KentaTada/add-cgroup-namespace-check

kolyshkin · web-flow · commit 5d67a70f9207 · 2022-10-18T16:35:40.000-07:00
seccomp: add CloneNewCgroup to check sysCloneFlagsIndex
diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go
@@ -513,7 +513,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
 				Args: []rspec.LinuxSeccompArg{
 					{
 						Index:    sysCloneFlagsIndex,
-						Value:    CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet,
+						Value:    CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet | CloneNewCgroup,
 						ValueTwo: 0,
 						Op:       rspec.OpMaskedEqual,
 					},
diff --git a/generate/seccomp/seccomp_default_linux.go b/generate/seccomp/seccomp_default_linux.go
@@ -3,14 +3,15 @@
 
 package seccomp
 
-import "syscall"
+import "golang.org/x/sys/unix"
 
 // System values passed through on linux
 const (
-	CloneNewIPC  = syscall.CLONE_NEWIPC
-	CloneNewNet  = syscall.CLONE_NEWNET
-	CloneNewNS   = syscall.CLONE_NEWNS
-	CloneNewPID  = syscall.CLONE_NEWPID
-	CloneNewUser = syscall.CLONE_NEWUSER
-	CloneNewUTS  = syscall.CLONE_NEWUTS
+	CloneNewIPC    = unix.CLONE_NEWIPC
+	CloneNewNet    = unix.CLONE_NEWNET
+	CloneNewNS     = unix.CLONE_NEWNS
+	CloneNewPID    = unix.CLONE_NEWPID
+	CloneNewUser   = unix.CLONE_NEWUSER
+	CloneNewUTS    = unix.CLONE_NEWUTS
+	CloneNewCgroup = unix.CLONE_NEWCGROUP
 )

Original file line number	Diff line number	Diff line change
`@@ -513,7 +513,7 @@ func DefaultProfile(rs specs.Spec) rspec.LinuxSeccomp {`
`513`	`513`	`Args: []rspec.LinuxSeccompArg{`
`514`	`514`	`{`
`515`	`515`	`Index: sysCloneFlagsIndex,`
`516`		`- Value: CloneNewNS \| CloneNewUTS \| CloneNewIPC \| CloneNewUser \| CloneNewPID \| CloneNewNet,`
	`516`	`+ Value: CloneNewNS \| CloneNewUTS \| CloneNewIPC \| CloneNewUser \| CloneNewPID \| CloneNewNet \| CloneNewCgroup,`
`517`	`517`	`ValueTwo: 0,`
`518`	`518`	`Op: rspec.OpMaskedEqual,`
`519`	`519`	`},`