Revert "Block obsolete socket families in the default seccomp profile"

This reverts commit 7e3a596a63. Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387 that the `socketcall` syscall takes a pointer to a struct so it is not possible to use seccomp profiles to filter it. This means these cannot be blocked as you can use `socketcall` to call them regardless, as we currently allow 32 bit syscalls. Users who wish to block these should use a seccomp profile that blocks all 32 bit syscalls and then just block the non socketcall versions. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2025-12-04 19:23:06 +03:00 · 2017-05-09 14:21:19 +01:00
parent 85a7f4bbc7
commit dcf2632945
6 changed files with 6 additions and 391 deletions
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@@ -1015,18 +1015,6 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
 	})
 }

-// TestRunSeccompProfileDenyUnusualSocketFamilies checks that rarely used socket families such as Appletalk are blocked by the default profile
-func (s *DockerSuite) TestRunSeccompProfileDenyUnusualSocketFamilies(c *check.C) {
-	testRequires(c, SameHostDaemon, seccompEnabled)
-	ensureSyscallTest(c)
-
-	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "appletalk-test")
-	_, _, err := runCommandWithOutput(runCmd)
-	if err != nil {
-		c.Fatal("expected opening appletalk socket family to fail")
-	}
-}
-
 // TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
 // with a the default seccomp profile exits with operation not permitted.
 func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {