Limit permissions for Android images.

Alexhuszagh · Alexhuszagh · commit aa6044167472 · 2022-06-02T20:39:40.000-05:00
Remove the use of the `--privileged` flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allow `clone` and `clone3`. The documentation is [docker seccomp](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow `personality` syscall, which then allows us to use our Android images.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+- #746 - limit image permissions for android images.
 - #741 - added `armv7-unknown-linux-gnueabi` and `armv7-unknown-linux-musleabi` targets.
 - #377 - update WINE versions to 7.0.
 - #734 - patch `arm-unknown-linux-gnueabihf` to build for ARMv6, and add architecture for crosstool-ng-based images.
diff --git a/src/docker.rs b/src/docker.rs
@@ -1,6 +1,7 @@
 use std::path::{Path, PathBuf};
 use std::process::{Command, ExitStatus};
 use std::{env, fs};
+use std::io::Write;
 
 use crate::cargo::Root;
 use crate::errors::*;
@@ -14,6 +15,11 @@ const DOCKER_IMAGES: &[&str] = &include!(concat!(env!("OUT_DIR"), "/docker-image
 const CROSS_IMAGE: &str = "ghcr.io/cross-rs";
 const DOCKER: &str = "docker";
 const PODMAN: &str = "podman";
+// secured profile based off the docker documentation for denied syscalls:
+// https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
+// note that we've allow listed `clone` and `clone3`, which is necessary
+// to fork the process, and which podman allows by default.
+const SECCOMP: &str = include_str!("seccomp.json");
 
 fn get_container_engine() -> Result<std::path::PathBuf, which::Error> {
     if let Ok(ce) = env::var("CROSS_CONTAINER_ENGINE") {
@@ -169,8 +175,27 @@ pub fn run(
 
     docker.arg("--rm");
 
-    if target.needs_docker_privileged() {
-        docker.arg("--privileged");
+    // docker uses seccomp now on all installations
+    if target.needs_docker_seccomp() {
+        // write to our seccomp profile if it doesn't exist.
+        let mut path = env::current_dir().wrap_err("couldn't get current directory")?;
+        path.push("target");
+        path.push(target.triple());
+        fs::create_dir_all(&path).wrap_err("couldn't make target directory")?;
+        path.push("seccomp.json");
+        if !path.exists() {
+            let mut file = fs::OpenOptions::new().write(true)
+                .create_new(true)
+                .open(&path)
+                .wrap_err("could't create seccomp profile")?;
+            file.write_all(SECCOMP.as_bytes())?;
+        }
+
+        // now, add our seccomp profile settings
+        docker.args(&[
+            "--security-opt",
+            &format!("seccomp={}", path.display()),
+        ]);
     }
 
     // We need to specify the user for Docker, but not for Podman.
diff --git a/src/main.rs b/src/main.rs
@@ -211,7 +211,7 @@ impl Target {
         !native && (self.is_linux() || self.is_windows() || self.is_bare_metal())
     }
 
-    fn needs_docker_privileged(&self) -> bool {
+    fn needs_docker_seccomp(&self) -> bool {
         let arch_32bit = self.triple().starts_with("arm")
             || self.triple().starts_with("i586")
             || self.triple().starts_with("i686");
diff --git a/src/seccomp.json b/src/seccomp.json
@@ -0,0 +1,157 @@
+{
+    "defaultAction": "SCMP_ACT_ALLOW",
+    "defaultErrnoRet": 1,
+    "syscalls": [
+        {
+            "names": [
+                "add_key",
+                "get_kernel_syms",
+                "keyctl",
+                "move_pages",
+                "nfsservctl",
+                "perf_event_open",
+                "pivot_root",
+                "query_module",
+                "request_key",
+                "sysfs",
+                "_sysctl",
+                "uselib",
+                "userfaultfd",
+                "ustat"
+            ],
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "names": [
+                "acct"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_PACCT"
+                ]
+            }
+        },
+        {
+            "names": [
+                "bpf",
+                "lookup_dcookie",
+                "mount",
+                "quotactl",
+                "quotactl_fd",
+                "setns",
+                "swapon",
+                "swapoff",
+                "umount",
+                "umount2",
+                "unshare",
+                "vm86",
+                "vm86old",
+                "pciconfig_read",
+                "pciconfig_write",
+                "salinfo_log_open",
+                "salinfo_event_open",
+                "sys_cacheflush",
+                "rtas"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_ADMIN"
+                ]
+            }
+        },
+        {
+            "names": [
+                "clock_adjtime",
+                "clock_settime",
+                "settimeofday",
+                "stime"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_TIME"
+                ]
+            }
+        },
+        {
+            "names": [
+                "create_module",
+                "delete_module",
+                "finit_module",
+                "init_module"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_MODULE"
+                ]
+            }
+        },
+        {
+            "names": [
+                "get_mempolicy",
+                "mbind",
+                "set_mempolicy"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_NICE"
+                ]
+            }
+        },
+        {
+            "names": [
+                "ioperm",
+                "iopl"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_RAWIO"
+                ]
+            }
+        },
+        {
+            "names": [
+                "kcmp",
+                "process_vm_readv",
+                "process_vm_writev",
+                "ptrace"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_PTRACE"
+                ]
+            }
+        },
+        {
+            "names": [
+                "kexec_file_load",
+                "kexec_load",
+                "reboot"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_SYS_BOOT"
+                ]
+            }
+        },
+        {
+            "names": [
+                "name_to_handle_at",
+                "open_by_handle_at"
+            ],
+            "action": "SCMP_ACT_ERRNO",
+            "excludes": {
+                "caps": [
+                    "CAP_DAC_READ_SEARCH"
+                ]
+            }
+        }
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ impl Target {`
`211`	`211`	`!native && (self.is_linux() \|\| self.is_windows() \|\| self.is_bare_metal())`
`212`	`212`	`}`
`213`	`213`
`214`		`- fn needs_docker_privileged(&self) -> bool {`
	`214`	`+ fn needs_docker_seccomp(&self) -> bool {`
`215`	`215`	`let arch_32bit = self.triple().starts_with("arm")`
`216`	`216`	`\|\| self.triple().starts_with("i586")`
`217`	`217`	`\|\| self.triple().starts_with("i686");`