-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.11
-
Low
-
Unspecified
-
If docs needed, set a value
Description of problem:
seccomp profile status is empty when there is not-allowed syscalls in the profile
$ oc get seccompprofile
NAMESPACE NAME STATUS AGE
dont-allow sleep-sh-pod 30s
$ oc describe seccompprofile sleep-sh-pod | tail
mkdir
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ProfileNotAllowed 92s (x138 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 90s (x143 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 90s (x162 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 80s (x150 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 76s (x149 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 74s (x154 over 66m) profile syscall not allowed: mkdir
Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-06-06-201913 + security-profiles-operator-bundle-container-0.4.3-52
How reproducible:
always
Steps to Reproduce:
Install SPO
Patch to define a list of allowed syscalls in the spod configuration:
$ oc -n security-profiles-operator patch spod spod --type merge -p '{"spec":{"allowedSyscalls": ["arch_prctl","brk","capget","capset","chdir","clone","close","dup3","epoll_ctl","epoll_pwait","execve","exit_group","fchdir","fchown","fcntl","fstat","fstatfs","futex","getcwd","getdents64","getpid","getppid","getuid","ioctl","lseek","mmap","mount","mprotect","nanosleep","newfstatat","open","openat","pivot_root","prctl","read","rt_sigaction","rt_sigprocmask","rt_sigreturn","set_tid_address","setgid","setgroups","sethostname","setuid","stat","statfs","tgkill","time","umask","umount2","wait4","write"]}}'
$ oc new-project dont-allow
$ oc apply -f -<<EOF
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
name: sleep-sh-pod
spec:
defaultAction: SCMP_ACT_ERRNO
architectures:
- SCMP_ARCH_X86_64
syscalls: - action: SCMP_ACT_ALLOW
names: - arch_prctl
- brk
- capget
- capset
- chdir
- clone
- close
- dup3
- epoll_ctl
- epoll_pwait
- execve
- exit_group
- fchdir
- fchown
- fcntl
- fstat
- fstatfs
- futex
- getcwd
- getdents64
- getpid
- getppid
- getuid
- ioctl
- lseek
- mmap
- mount
- mprotect
- nanosleep
- newfstatat
- open
- openat
- pivot_root
- prctl
- read
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
- set_tid_address
- setgid
- setgroups
- sethostname
- setuid
- stat
- statfs
- tgkill
- time
- umask
- umount2
- wait4
- mkdir
EOF
Actual result:
The seccompprofile status is empty when there is not-allowed syscalls in the profile
$ oc get seccompprofile
NAMESPACE NAME STATUS AGE
dont-allow sleep-sh-pod 30s
$ oc describe seccompprofile sleep-sh-pod | tail
mkdir
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ProfileNotAllowed 92s (x138 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 90s (x143 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 90s (x162 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 80s (x150 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 76s (x149 over 66m) profile syscall not allowed: mkdir
Warning ProfileNotAllowed 74s (x154 over 66m) profile syscall not allowed: mkdir
Expected result:
The seccompprofile status should not be empty when there is not-allowed syscalls in the profile