> On Jan. 3, 2019, 1:58 a.m., Gilbert Song wrote: > > src/linux/seccomp/seccomp.cpp > > Lines 141-144 (patched) > > <https://reviews.apache.org/r/68018/diff/11/?file=2116580#file2116580line141> > > > > Instead of always set `SCMP_FLTATR_CTL_NNP`. Should we consider to > > check root privileges first (e.g., `geteuid() != 0`)? > > Andrei Budnik wrote: > By default, libseccomp sets `true` to the `SCMP_FLTATR_CTL_NNP` flag > > https://github.com/seccomp/libseccomp/blob/1e64feb5f1a9ea02687228e3073e8b784a04ce46/src/db.c#L960 > > Hence, all Seccomp test pass even after removing `seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_NNP, 1)`. Also, this means that Docker daemon launches its > containers with this flag set by default (as they also use libseccomp). > > Disabling `SCMP_FLTATR_CTL_NNP` flag for a `root` means that Seccomp > filter can be reverted anytime. So, disabling this flag is meaningless. > > Gilbert Song wrote: > Gotcha. Does it imply that task launched by docker daemon with seccomp > profile enabled cannot setuid (assuming docker relies on execve/execvpe)?
No, it doesn't. See my comment https://reviews.apache.org/r/68018/#comment297515 starting with `Docker daemon can not be used to run arbitrary programs...`. - Andrei ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68018/#review211623 ----------------------------------------------------------- On Nov. 8, 2018, 3:24 p.m., Andrei Budnik wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68018/ > ----------------------------------------------------------- > > (Updated Nov. 8, 2018, 3:24 p.m.) > > > Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang. > > > Bugs: MESOS-9034 > https://issues.apache.org/jira/browse/MESOS-9034 > > > Repository: mesos > > > Description > ------- > > `SeccompFilter` class is a wrapper for `libseccomp` API. Its main > purpose is to provide a translation of the `ContainerSeccompProfile` > message into calls of `libseccomp` API. > > > Diffs > ----- > > src/CMakeLists.txt a574d449dc26b820cbef7ff0b5e94b42b6fe86cf > src/Makefile.am cd785255fcdf1302a8f9fa358039e5d1f200e132 > src/linux/seccomp/seccomp.hpp PRE-CREATION > src/linux/seccomp/seccomp.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/68018/diff/15/ > > > Testing > ------- > > > Thanks, > > Andrei Budnik > >
