seccomp: whitelist statx syscall#3111
Conversation
|
I'll open backports for this for the release-branches ping @tonistiigi (for BuildKit), @NobodyOnSE (thanks for the original PR), @dschmidt (thanks for reporting), @justincormack (🤗 ) |
This whitelists the statx syscall; libseccomp-2.3.3 or up is needed for this, older seccomp versions will ignore this. Equivalent of moby/moby#36417 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
whitelist_statx
branch
from
066ac9f to
8f8fd3c
Compare
|
Oh, actually; I just realised containerd itself does not apply the seccomp profile, but (in this case) buildkit vendors the package and applies the profile, so it needs to be vendored in buildkit / moby after it's merged; perhaps the backports are not needed (although they don't really harm) |
Codecov Report
@@ Coverage Diff @@
## master #3111 +/- ##
=======================================
Coverage 43.59% 43.59%
=======================================
Files 104 104
Lines 11135 11135
=======================================
Hits 4854 4854
Misses 5545 5545
Partials 736 736
Continue to review full report at Codecov.
|
|
LGTM |
|
We really should standardize on the upstream for the default seccomp profile so containerd and docker (and anyone else) can use the same. Does anyone have suggestions on how this could look like? Docker has an extra requirement that profiles must be loadable/exportable to json so can't use this directly atm. For example, another change coming in 19.03 is the special handling of ptrace that is not in containerd atm. |
|
perhaps a containerd/seccomp repository that both can vendor? |
|
Keep it in the containerd repo |
|
I don't want another repo just cuz, more deps and vendors just make it complicated |
|
don't mind where it is but maintaining it as part of containerd makes sense. |
6 participants
This whitelists the statx syscall; libseccomp-2.3.3 or up
is needed for this, older seccomp versions will ignore this.
Equivalent of moby/moby#36417
addresses docker/for-linux#616