Enable SECCOMP_FILTER_FLAG_LOG and SECCOMP_FILTER_FLAG_SPEC_ALLOW…

… per default We now enable both flags for the default seccomp profile. Signed-off-by: Sascha Grunert <[email protected]>
containers · Feb 23, 2022 · 84a0a51 · 84a0a51
1 parent 468d7e6
commit 84a0a51
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go
@@ -47,6 +47,11 @@ func DefaultProfile() *Seccomp {
  enosys := uint(unix.ENOSYS)
  eperm := uint(unix.EPERM)
 
+ flags := []string{
+ SeccompFilterFlagLog,
+ SeccompFilterFlagSpecALlow,
+ }
+
  syscalls := []*Syscall{
  {
  Names: []string{
@@ -882,5 +887,6 @@ func DefaultProfile() *Seccomp {
  DefaultErrnoRet: &enosys,
  ArchMap: arches(),
  Syscalls: syscalls,
+ Flags: flags,
  }
 }
diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json
@@ -1037,5 +1037,9 @@
  },
  "excludes": {}
  }
+ ],
+ "flags": [
+ "SECCOMP_FILTER_FLAG_LOG",
+ "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
  ]
 }
diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go
@@ -20,6 +20,18 @@ type Seccomp struct {
  Flags []string `json:"flags,omitempty"`
 }
 
+const (
+ // SeccompFilterFlagLog is the filter to return actions except
+ // SECCOMP_RET_ALLOW should be logged. An administrator may override this
+ // filter flag by preventing specific actions from being logged via the
+ // /proc/sys/kernel/seccomp/actions_logged file. (since Linux 4.14)
+ SeccompFilterFlagLog = "SECCOMP_FILTER_FLAG_LOG"
+
+ // SeccompFilterFlagSpecALlow can be used to disable Speculative Store
+ // Bypass mitigation. (since Linux 4.17)
+ SeccompFilterFlagSpecALlow = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+)
+
 // Architecture is used to represent a specific architecture
 // and its sub-architectures
 type Architecture struct {