Skip to content

seccomp policy should allow fanotify_init without CAP_SYS_ADMIN #2411

New issue
New issue
Closed
#2412
Closed
seccomp policy should allow fanotify_init without CAP_SYS_ADMIN#2411
#2412
@betelgeuse

Description

@betelgeuse
betelgeuse
opened on Apr 7, 2025

common/pkg/seccomp/seccomp.json

Lines 694 to 708 in f01ad5b

"fanotify_init",
"lookup_dcookie",
"quotactl",
"quotactl_fd",
"setdomainname",
"sethostname",
"setns"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_ADMIN"
] 

Prior to Linux 5.13 (and 5.10.220), calling fanotify_init()
required the CAP_SYS_ADMIN capability.  Since Linux 5.13 (and
5.10.220), users may call fanotify_init() without the
CAP_SYS_ADMIN capability to create and initialize an fanotify
group with limited functionality.

https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html

The policy needs to be changed to allow this use case.

You can find ruby code to test the issue in moby/moby#49756. It's the equivalent issue to update the policy json for Moby.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions