ESR-01-013 WP1: Wrong seccomp filter for CAP_NET_ADMIN (Medium)
flxo opened this issue · 1 comments
flxo commented
While auditing the seccomp filter code, an observation was made for containers which have the capability7 CAP_NET_ADMIN enabled via the Manifest file. For such containers, the seccomp filter will allow additional system calls which should only be allowed for CAP_SYS_ADMIN. As most of these system calls still require CAP_SYS_ADMIN upon being called, this widens the attack surface. It will also remove some restrictions from system calls. For instance, this applies to clone, which would normally be restricted to a specific subset of possible arguments.