runtime-spec icon indicating copy to clipboard operation
runtime-spec copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

seccomp: should valueTwo be required with SCMP_CMP_MASKED_EQ?

Open flx42 opened this issue 7 years ago • 1 comments
trafficstars

valueTwo is listed as OPTIONAL. And in the Go it's listed as omitempty.

As a result, docker's seccomp policy will be encoded as this:

        {
          "names": [
            "clone"
          ],
          "action": "SCMP_ACT_ALLOW",
          "args": [
            {
              "index": 0,
              "value": 2080505856,
              "op": "SCMP_CMP_MASKED_EQ"
            }
          ]
        }

If the spec was generated by a Go program, you can assume that valueTwo is 0. But if it was generated in any other way, it could be a malformed configuration. Since it's potentially a critical security piece, I don't want to have to guess.

I think the spec should be more explicit in what to do if op == SCMP_CMP_MASKED_EQ, some ideas:

  • valueTwo could be REQUIRED for this op, it would require using a pointer in the Golang struct.
  • Or, the spec could mention that valueTwo defaults to 0 for this op.
  • valueTwo could be required to be unset for all other ops.

flx42 avatar May 31 '18 22:05 flx42

  • valueTwo could be REQUIRED for this op, it would require using a pointer in the Golang struct.
  • Or, the spec could mention that valueTwo defaults to 0 for this op.

Either of these would work, although I personally prefer the first.

  • valueTwo could be required to be unset for all other ops.

I think this is a good idea, as long as we make it clear that the requirement only applies to ops listed in the spec. libseccomp could add new comparison ops taking two (or more) arguments, and runtimes supporting those extensions would still be compliant with the spec.

wking avatar Jun 02 '18 04:06 wking