Description
Setting time within a container (for example using date -s "2 OCT 2006 18:00:00") fails with 'Operation not permitted' if the clock_settime64 syscall is used. I have confirmed this behavior using strace.
Steps to reproduce the issue:
- Start a container with
--cap-add SYS_TIME
- Try to set the time with
date -s "2 OCT 2006 18:00:00"
- If the
clock_settime64 syscall is used, the operation fails. This can be confirmed with strace.
- Start the same image with
--security-opt seccomp:unconfined
- Run
date -s "2 OCT 2006 18:00:00", it works
Describe the results you received:
'Operation not permitted' whenever clock_settime64 is used.
Describe the results you expected:
Being able to set the time within the container with --cap-add SYS_TIME.
Additional information you deem important (e.g. issue happens only occasionally):
I could only reproduce this issue on ARM32 hosts. On amd64 date uses clock_settime which is currently allowed by the default seccomp profile under SYS_TIME.
Output of docker version:
Description
Setting time within a container (for example using
date -s "2 OCT 2006 18:00:00") fails with 'Operation not permitted' if theclock_settime64syscall is used. I have confirmed this behavior using strace.Steps to reproduce the issue:
--cap-add SYS_TIMEdate -s "2 OCT 2006 18:00:00"clock_settime64syscall is used, the operation fails. This can be confirmed with strace.--security-opt seccomp:unconfineddate -s "2 OCT 2006 18:00:00", it worksDescribe the results you received:
'Operation not permitted' whenever
clock_settime64is used.Describe the results you expected:
Being able to set the time within the container with
--cap-add SYS_TIME.Additional information you deem important (e.g. issue happens only occasionally):
I could only reproduce this issue on ARM32 hosts. On amd64
dateusesclock_settimewhich is currently allowed by the default seccomp profile underSYS_TIME.Output of
docker version: