Block AF_ALG in workspace seccomp profile (#21427)

geropl · web-flow · commit cfdcb39a6aef · 2026-05-04T12:22:52.000+02:00
diff --git a/components/ws-daemon/seccomp-profile-installer/main.go b/components/ws-daemon/seccomp-profile-installer/main.go
@@ -8,26 +8,36 @@ import (
 	"encoding/json"
 	"log"
 	"os"
+	"syscall"
 
 	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
-func main() {
-	enc := json.NewEncoder(os.Stdout)
-	enc.SetIndent("", "  ")
-	enc.SetEscapeHTML(false)
-
+func defaultWorkspaceSeccompProfile(capabilities []string) *specs.LinuxSeccomp {
 	spec := specs.Spec{
 		Process: &specs.Process{
 			Capabilities: &specs.LinuxCapabilities{
-				Bounding: os.Args[1:],
+				Bounding: capabilities,
 			},
 		},
 	}
 
 	s := seccomp.DefaultProfile(&spec)
 	s.Syscalls = append(s.Syscalls,
+		// AF_ALG exposes the kernel crypto API via sockets. Blocking only this
+		// family keeps regular networking intact while removing the copy.fail path.
+		specs.LinuxSyscall{
+			Names:  []string{"socket"},
+			Action: specs.ActErrno,
+			Args: []specs.LinuxSeccompArg{
+				{
+					Index: 0,
+					Value: syscall.AF_ALG,
+					Op:    specs.OpEqualTo,
+				},
+			},
+		},
 		specs.LinuxSyscall{
 			Names: []string{
 				"clone",
@@ -59,6 +69,16 @@ func main() {
 		},
 	)
 
+	return s
+}
+
+func main() {
+	enc := json.NewEncoder(os.Stdout)
+	enc.SetIndent("", "  ")
+	enc.SetEscapeHTML(false)
+
+	s := defaultWorkspaceSeccompProfile(os.Args[1:])
+
 	err := enc.Encode(s)
 	if err != nil {
 		log.Fatalf("cannot marshal seccomp profile: %q", err)
diff --git a/components/ws-daemon/seccomp-profile-installer/main_test.go b/components/ws-daemon/seccomp-profile-installer/main_test.go
@@ -0,0 +1,43 @@
+// Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package main
+
+import (
+	"slices"
+	"syscall"
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestDefaultWorkspaceSeccompProfileBlocksAFALGSocket(t *testing.T) {
+	profile := defaultWorkspaceSeccompProfile([]string{"AUDIT_WRITE", "NET_BIND_SERVICE"})
+
+	for _, syscallRule := range profile.Syscalls {
+		if !slices.Contains(syscallRule.Names, "socket") || syscallRule.Action != specs.ActErrno {
+			continue
+		}
+
+		for _, arg := range syscallRule.Args {
+			if arg.Index == 0 && arg.Value == syscall.AF_ALG && arg.Op == specs.OpEqualTo {
+				return
+			}
+		}
+	}
+
+	t.Fatalf("expected seccomp profile to block socket(AF_ALG, ...)")
+}
+
+func TestDefaultWorkspaceSeccompProfileKeepsRegularSocketsAvailable(t *testing.T) {
+	profile := defaultWorkspaceSeccompProfile([]string{"AUDIT_WRITE", "NET_BIND_SERVICE"})
+
+	for _, syscallRule := range profile.Syscalls {
+		if slices.Contains(syscallRule.Names, "socket") && syscallRule.Action == specs.ActAllow && len(syscallRule.Args) == 0 {
+			return
+		}
+	}
+
+	t.Fatalf("expected seccomp profile to preserve generic socket allow rule")
+}
