[docker-29.x backport] seccomp: Block AF_ALG sockets in default profile (CVE-2026-31431) by vvoland · Pull Request #52501 · moby/moby

vvoland · 2026-05-01T01:12:38Z

backport: seccomp: Block AF_ALG sockets in default profile (CVE-2026-31431) #52494

CVE-2026-31431 ("Copy Fail") is a logic flaw in the kernel's algif_aead module that allows any unprivileged user with access to AF_ALG sockets to perform a controlled 4-byte page-cache write, leading to reliable local privilege escalation. The exploit is a 732-byte Python script that works on every Linux distribution shipped since 2017.

Inside a container, this allows escalation to root within the container by corrupting setuid binaries in the page cache. Since the page cache is shared across the host, corruption of shared image-layer files is also visible to other containers using the same layers on the same node.

Seccomp profile changes

The previous default seccomp profile allowed AF_ALG sockets (only AF_VSOCK was denied). This update denies both AF_ALG (38) and AF_VSOCK (40) by allowing socket creation only for address families outside that range:

arg0 < 38 (AF_ALG) → allow
arg0 == 39 (the single family between them) → allow
arg0 > 40 (AF_VSOCK) → allow
everything else (38 and 40) → falls through to default ERRNO

The previous socket rule used a single arg0 != AF_VSOCK condition. Naively adding a second OpNotEqual for AF_ALG does not work: seccomp evaluates multiple argument conditions within a single rule as a logical AND, so arg0 != 38 AND arg0 != 40 requires two comparisons against the same argument index, which libseccomp does not support reliably in one rule. Splitting into separate deny-action rules also fails because any matching allow rule takes precedence in seccomp's first-match-wins evaluation.

See moby/profiles#20 for more details.

Additionally, socketcall(2) is now explicitly denied to prevent bypassing the socket address family filters on architectures with the legacy socketcall multiplexer. See https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 for details.

Integration tests

Adds TestExecSocketDenied which compiles and runs small C programs inside a container to verify that:

AF_ALG socket creation is denied
AF_VSOCK socket creation is denied
AF_ALG via socketcall(2) (using int $0x80 from amd64) is denied
AF_ALG via a cross-compiled static i386 binary is denied

Changelog

CVE-2026-31431: Block `AF_ALG` sockets and the `socketcall(2)` multiplexer in the default seccomp profile to prevent in-container privilege escalation via the kernel crypto API ("Copy Fail").

Big thanks to @tianon for helping me figure out why the initial socketcall block didn't work: https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 ❤️

Verify that AF_ALG and AF_VSOCK sockets cannot be created inside a container running with the default seccomp profile. The test compiles small C programs inside a debian:trixie-slim container that attempt to create sockets with these address families, then runs them as a non-root user (uid 1000) and asserts that socket creation is denied with EPERM or EAFNOSUPPORT. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit ccabd78) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

Test that AF_ALG is also denied through the socketcall(2) multiplexer, which is used by glibc on i386 instead of direct socket(2) syscalls. Two subtests: - AF_ALG_socketcall_int80: uses int $0x80 inline assembly from a native 64-bit binary to invoke the ia32 socketcall path, with MAP_32BIT to keep the args pointer below 4 GB (ia32 compat truncates registers). - AF_ALG_socketcall_i386: cross-compiles a static i386 binary using gcc-i686-linux-gnu where glibc naturally routes socket() through socketcall(2). Both are amd64-only. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit 5a34580) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

full diff: https://github.com/moby/profiles/seccomp/compare/v0.1.0...v0.2.1 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

full diff: https://github.com/moby/profiles/seccomp/compare/v0.2.1...v0.2.2 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

https://docs.docker.com/engine/release-notes/29/ Security This release includes hardening for CVE-2026-31431. Block AF_ALG sockets and the socketcall(2) multiplexer in the default seccomp profile to prevent in-container privilege escalation via the kernel crypto API ("Copy Fail"). moby/moby#52501

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: * https://docs.docker.com/engine/release-notes/29/#2942 * moby/moby#52501 On Linux i386, libc socket wrappers can still go through `socketcall(2)`. That can make `sock_tests` fail at the first `socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)` call in the i686 CI job. Emit the existing CTest skip marker for that `EPERM` case instead of failing the suite.

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: https://docs.docker.com/engine/release-notes/29/#2942 https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 moby/moby#52501 `socketcall(2)` is relevant to Linux i386 socket wrappers: https://man7.org/linux/man-pages/man2/socketcall.2.html#STANDARDS That can make `sock_tests` fail at the first `socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)` call in the i686 CI job. Emit the existing CTest skip marker for `ENOSYS`, matching Moby's explicit deny rule, and keep `EPERM` for profiles that use the default seccomp errno.

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: https://docs.docker.com/engine/release-notes/29/#2942 https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 moby/moby#52501 That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker. Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`. This restores socket availability for the 32-bit test binaries throughout the job: https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: https://docs.docker.com/engine/release-notes/29/#2942 https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 moby/moby#52501 That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker. Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`. This restores socket availability for the 32-bit test binaries throughout the job: https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile Github-Pull: bitcoin#35202 Rebased-From: 11c9ef9

vvoland added 2 commits May 1, 2026 03:10

vvoland added this to the 29.4.2 milestone May 1, 2026

vvoland self-assigned this May 1, 2026

vvoland added status/2-code-review area/security impact/changelog area/testing area/security/seccomp kind/bugfix PR's that fix bugs area/dependencies ci/validate-only labels May 1, 2026

vendor: github.com/moby/profiles/seccomp v0.2.1

a1197d9

full diff: https://github.com/moby/profiles/seccomp/compare/v0.1.0...v0.2.1 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

vvoland force-pushed the 52494-docker-29.x branch from ff71fa2 to a1197d9 Compare May 1, 2026 01:13

vvoland marked this pull request as ready for review May 1, 2026 01:16

vvoland removed the ci/validate-only label May 1, 2026

vendor: github.com/moby/profiles/seccomp v0.2.2

becdb42

full diff: https://github.com/moby/profiles/seccomp/compare/v0.2.1...v0.2.2 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

vvoland force-pushed the 52494-docker-29.x branch from cea106a to becdb42 Compare May 1, 2026 01:17

vvoland merged commit d329809 into moby:docker-29.x May 1, 2026
96 of 121 checks passed

This was referenced May 1, 2026

Bump Docker CE version to 29.4.2 jenkins-infra/packer-images#2689

Merged

Bump docker-ce version to 5:29.4.2-1~ubuntu.22.04~jammy (Jammy) jenkins-infra/jenkins-infra#4823

Merged

tspindler-cms mentioned this pull request May 2, 2026

After hardening for copy fail, need to run DCS container with seccomp=unconfined Aterfax/DCS-World-Dedicated-Server-Docker#130

Open

pantsofpie mentioned this pull request May 3, 2026

Game not starting because of a CreateBoundSocket error wolveix/satisfactory-server#466

Closed

l0rinc mentioned this pull request May 3, 2026

ci: failure in sock_tests in i686 NO IPC bitcoin/bitcoin#35199

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[docker-29.x backport] seccomp: Block AF_ALG sockets in default profile (CVE-2026-31431)#52501

[docker-29.x backport] seccomp: Block AF_ALG sockets in default profile (CVE-2026-31431)#52501
vvoland merged 4 commits intomoby:docker-29.xfrom
vvoland:52494-docker-29.x

vvoland commented May 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

vvoland commented May 1, 2026

Seccomp profile changes

Integration tests

Changelog

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant