From e6fa401b663d0ebd4374c9e47a7ca6150a4756cd Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Thu, 12 Aug 2021 20:06:36 +0300 Subject: [PATCH] fix: enable seccomp default profile by default This enable seccomp profile for all containers launched by Talos: apid, trustd, etcd and kubelet. Also by default disallow gaining more privileges in the container (basically disables setuid). As containers are running as root this is no-op, but soon we'll have running as non-root users and this becomes important. Signed-off-by: Andrey Smirnov --- hack/release.toml | 1 + .../app/machined/pkg/system/runner/containerd/containerd.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/hack/release.toml b/hack/release.toml index 121551adc..e6ab88454 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -92,6 +92,7 @@ Talos can be configued to use Kubernetes 1.21 or CAPI v0.4.x components can be u description = """\ * etcd PKI moved to `/system/secrets` * kubelet bootstrap CSR auto-signing scoped to kubelet bootstrap tokens only +* enforce default seccomp profile on all system containers """ [notes.equinixmetal] diff --git a/internal/app/machined/pkg/system/runner/containerd/containerd.go b/internal/app/machined/pkg/system/runner/containerd/containerd.go index 5cee38f6d..4927db864 100644 --- a/internal/app/machined/pkg/system/runner/containerd/containerd.go +++ b/internal/app/machined/pkg/system/runner/containerd/containerd.go @@ -15,6 +15,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/cio" + "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/namespaces" "github.com/containerd/containerd/oci" @@ -275,6 +276,8 @@ func (c *containerdRunner) newOCISpecOpts(image oci.Image) []oci.SpecOpts { oci.WithEnv(c.opts.Env), oci.WithHostHostsFile, oci.WithHostResolvconf, + oci.WithNoNewPrivileges, + seccomp.WithDefaultProfile(), ) specOpts = append(specOpts,