Skip to content

seccomp: seccomp: add syscalls related to PKU in default policy #7163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmcgowan merged 1 commit into from
Jul 18, 2022
Merged

seccomp: seccomp: add syscalls related to PKU in default policy #7163

dmcgowan merged 1 commit into from
Jul 18, 2022

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jul 13, 2022
edited
Loading

same as moby/moby#43490

Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure
the calling process's own memory, so they are existing "safe for everyone" syscalls.

@thaJeztah
seccomp: seccomp: add syscalls related to PKU in default policy
19e8479 
Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure
the calling process's own memory, so they are existing "safe for everyone" syscalls.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 13, 2022

@samuelkarp @AkihiroSuda PTAL

@samuelkarp
Copy link
Member

samuelkarp commented Jul 13, 2022
edited
Loading

same as moby/moby#43775

That one's related to clock_settime64. Is there another Moby issue related to these PKU syscalls?

Looks like you meant to reference moby/moby#43490?

@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 13, 2022

Ah, derp. Yes, had both open in a tab, and copied the wrong one ☺️

estesp
estesp approved these changes Jul 14, 2022
View reviewed changes
Copy link
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mikebrow
mikebrow approved these changes Jul 14, 2022
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
fyi @kad @magowan @lumjjb

@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 15, 2022

could someone kick CI on this one?

@estesp
Copy link
Member

estesp commented Jul 15, 2022

Done

@mikebrow
Copy link
Member

mikebrow commented Jul 15, 2022

"Machine type with name 'c2-standard-2' does not exist in zone 'us-central1-c'."
hmm

@mikebrow
Copy link
Member

mikebrow commented Jul 15, 2022

/test ?

@k8s-ci-robot
Copy link

k8s-ci-robot commented Jul 15, 2022

@mikebrow: The following commands are available to trigger required jobs:

  • /test pull-containerd-build
  • /test pull-containerd-node-e2e
  • /test pull-containerd-sandboxed-node-e2e

Use /test all to run the following jobs that were automatically triggered:

  • pull-containerd-build
  • pull-containerd-node-e2e
Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mikebrow
Copy link
Member

mikebrow commented Jul 15, 2022

/test pull-containerd-sandboxed-node-e2e

@fuweid
Copy link
Member

fuweid commented Jul 17, 2022 

Failed to start an instance: INVALID_ARGUMENT: Bad Request 400 Bad Request POST https://compute.googleapis.com:443/compute/v1/projects/cirrus-ci-community/zones/us-central1-c/instances { "error": { "code": 400, "message": "Invalid value for field 'resource.machineType': 'zones/us-central1-c/machineTypes/c2-standard-2'. Machine type with name 'c2-standard-2' does not exist in zone 'us-central1-c'.", "errors": [ { "message": "Invalid value for field 'resource.machineType': 'zones/us-central1-c/machineTypes/c2-standard-2'. Machine type with name 'c2-standard-2' does not exist in zone 'us-central1-c'.", "domain": "global", "reason": "invalid" } ] } }

hmm

@Bonjourz Bonjourz mentioned this pull request Jul 18, 2022
Closed
@dmcgowan dmcgowan merged commit e95858f into containerd:main Jul 18, 2022
@thaJeztah thaJeztah deleted the seccomp_support_pku branch July 18, 2022 22:21
@thaJeztah thaJeztah mentioned this pull request Jan 24, 2023
Merged
@thaJeztah thaJeztah added cherry-picked/1.6.x PR commits are cherry-picked into release/1.6 branch and removed cherry-pick/1.5.x labels Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@estesp estesp estesp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@mikebrow mikebrow mikebrow approved these changes

Assignees

No one assigned

Labels

cherry-picked/1.6.x PR commits are cherry-picked into release/1.6 branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@thaJeztah @samuelkarp @estesp @mikebrow @k8s-ci-robot @fuweid @dmcgowan @AkihiroSuda