Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile by nvcastet · Pull Request #37242 · moby/moby

nvcastet · 2018-06-08T15:50:11Z

Update seccomp profile to match docker documentation at
https://docs.docker.com/engine/security/seccomp/
fixes syscalls linked to CAP_SYS_NICE are not whitelisted in default seccomp profile #37241
Signed-off-by: Nicolas V Castet [email protected]

thaJeztah · 2018-06-08T20:57:31Z

thaJeztah · 2018-06-08T20:58:15Z

@nvcastet looks like you need to regenerate some files;

16:50:05 The result of go generate ./profiles/seccomp/ differs
16:50:05 
16:50:05  M profiles/seccomp/default.json
16:50:05 
16:50:05 Please re-run go generate ./profiles/seccomp/
16:50:05

thaJeztah · 2018-06-08T20:58:55Z

(and likely squash the two commits)

justincormack · 2018-06-08T21:07:12Z

profiles/seccomp/default.json

I think you will need to keep the original file ending without a new line to get the validation to work.

justincormack · 2018-06-08T21:11:00Z

profiles/seccomp/seccomp_default.go

name_to_handle_at is nothing to do with CAP_SYS_NICE it is gated by CAP_DAC_READ_SEARCH and there are other reasons for excluding it.

@justincormack I am totally fine removing it. But in that case the documentation would need to be updated at https://docs.docker.com/engine/security/seccomp/. Search for name_to_handle_at, it is mentioned Already gated by CAP_SYS_NICE..

Opened docker/docs#6854

codecov · 2018-06-11T12:57:43Z

Codecov Report

❗ No coverage uploaded for pull request base (master@e259323). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #37242   +/-   ##
=========================================
  Coverage          ?   35.32%           
=========================================
  Files             ?      609           
  Lines             ?    45011           
  Branches          ?        0           
=========================================
  Hits              ?    15898           
  Misses            ?    26959           
  Partials          ?     2154

nvcastet · 2018-06-11T15:20:30Z

@thaJeztah Would you know why the DockerSwarmSuite.TestAPISwarmLeaderElection test keeps failing?

14:20:57 FAIL: docker_api_swarm_test.go:296: DockerSwarmSuite.TestAPISwarmLeaderElection
14:20:57 
14:20:57 [d4789021c34ee] waiting for daemon to start
14:20:57 [d4789021c34ee] daemon started
14:20:57 
14:20:57 [da4194801ef22] waiting for daemon to start
14:20:57 [da4194801ef22] daemon started
14:20:57 
14:20:57 [decc49a95fe76] waiting for daemon to start
14:20:57 [decc49a95fe76] daemon started
14:20:57 
14:20:57 [d4789021c34ee] exiting daemon
14:20:57 assertion failed: error is not nil: Error response from daemon: rpc error: code = DeadlineExceeded desc = context deadline exceeded
14:20:57 [da4194801ef22] daemon started
14:20:57 Attempt #2: daemon is still running with pid 22957
14:20:57 [da4194801ef22] exiting daemon
14:20:57 [decc49a95fe76] exiting daemon

thaJeztah · 2018-06-11T17:41:56Z

Looks like that one is marked "flaky"; #32673

nvcastet · 2018-06-15T13:02:03Z

@thaJeztah Thanks. Do you know if it is possible to retrigger just the PR jobs that failed (here janky and windowsRS1)?

* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <[email protected]>

thaJeztah · 2018-06-20T23:42:00Z

Hm, CI doesn't seem to restart; I asked internally if someone has access to do so

@justincormack PTAL

thaJeztah · 2018-06-21T02:33:15Z

Failure on PowerPC can be ignored;

13:56:35 FAIL: docker_cli_daemon_test.go:1800: DockerDaemonSuite.TestDaemonNoSpaceLeftOnDeviceError
13:56:35 
13:56:35 [decb810dce5dc] waiting for daemon to start
13:56:35 [decb810dce5dc] exiting daemon
13:56:35 docker_cli_daemon_test.go:1817:
13:56:35     s.d.Start(c, "--data-root", filepath.Join(testDir, "test-mount"))
13:56:35 /go/src/github.com/docker/docker/internal/test/daemon/daemon.go:203:
13:56:35     t.Fatalf("Error starting daemon with arguments: %v", args)
13:56:35 ... Error: Error starting daemon with arguments: [--data-root /tmp/no-space-left-on-device-test924999940/test-mount]
13:56:35

n4ss · 2018-06-21T19:35:30Z

LGTM !

nvcastet · 2018-06-28T13:16:47Z

@thaJeztah @justincormack Anything else needed to merge this PR?

justincormack · 2018-06-29T10:36:09Z

Its slightly odd gating these all by CAP_SYS_NICE but I think it makes sense.

thaJeztah

LGTM

thaJeztah · 2018-06-29T14:41:06Z

@nvcastet will you do a follow up PR in the documentation repo?

nvcastet · 2018-07-02T12:33:17Z

@thaJeztah Documentation PR was created at: docker/docs#6861

thaJeztah · 2018-07-03T17:23:04Z

Thanks!

Failures look to be flaky tests, so I'll go ahead and merge

GordonTheTurtle added the status/0-triage label Jun 8, 2018

thaJeztah added status/2-code-review area/security/seccomp and removed status/0-triage labels Jun 8, 2018

thaJeztah added the status/failing-ci Indicates that the PR in its current state fails the test suite label Jun 8, 2018

justincormack reviewed Jun 8, 2018

View reviewed changes

nvcastet mentioned this pull request Jun 9, 2018

Update name_to_handle_at syscall capability gate to CAP_DAC_READ_SEARCH docker/docs#6854

Closed

nvcastet force-pushed the fix_sys_nice_seccomp branch 2 times, most recently from 6d17fd4 to d6b767f Compare June 11, 2018 12:57

thaJeztah added rebuild/* and removed status/failing-ci Indicates that the PR in its current state fails the test suite labels Jun 11, 2018

nvcastet force-pushed the fix_sys_nice_seccomp branch 2 times, most recently from 701d53b to 700b4b4 Compare June 14, 2018 15:01

Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile

47dfff6

* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <[email protected]>

nvcastet force-pushed the fix_sys_nice_seccomp branch from 700b4b4 to 47dfff6 Compare June 20, 2018 12:32

thaJeztah added rebuild/janky and removed rebuild/* labels Jun 20, 2018

GordonTheTurtle removed rebuild/janky labels Jun 20, 2018

GordonTheTurtle assigned stevvooe Jun 23, 2018

justincormack approved these changes Jun 29, 2018

View reviewed changes

thaJeztah approved these changes Jun 29, 2018

View reviewed changes

thaJeztah added status/4-merge impact/changelog impact/documentation rebuild/powerpc and removed status/2-code-review labels Jun 29, 2018

GordonTheTurtle removed the rebuild/powerpc label Jun 29, 2018

yongtang added the rebuild/powerpc label Jun 30, 2018

GordonTheTurtle removed the rebuild/powerpc label Jun 30, 2018

thaJeztah merged commit 6273dff into moby:master Jul 3, 2018

yosifkit mentioned this pull request May 13, 2019

arangodb 3.3.23 and 3.4.5 docker-library/official-images#5902

Merged

thaJeztah mentioned this pull request Jan 24, 2023

[release/1.6 backport] seccomp updates containerd/containerd#8001

Merged

filimonov mentioned this pull request Oct 21, 2024

On Docker using Clickhouse latest e155f535964c causing permission error ClickHouse/ClickHouse#68747

Closed

Conversation

nvcastet commented Jun 8, 2018

Uh oh!

thaJeztah commented Jun 8, 2018

Uh oh!

thaJeztah commented Jun 8, 2018

Uh oh!

thaJeztah commented Jun 8, 2018

Uh oh!

justincormack Jun 8, 2018

Choose a reason for hiding this comment

Uh oh!

nvcastet Jun 9, 2018

Choose a reason for hiding this comment

Uh oh!

justincormack Jun 8, 2018

Choose a reason for hiding this comment

Uh oh!

nvcastet Jun 9, 2018

Choose a reason for hiding this comment

Uh oh!

nvcastet Jun 9, 2018

Choose a reason for hiding this comment

Uh oh!

codecov bot commented Jun 11, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

nvcastet commented Jun 11, 2018

Uh oh!

thaJeztah commented Jun 11, 2018

Uh oh!

nvcastet commented Jun 15, 2018

Uh oh!

thaJeztah commented Jun 20, 2018

Uh oh!

thaJeztah commented Jun 21, 2018

Uh oh!

n4ss commented Jun 21, 2018

Uh oh!

nvcastet commented Jun 28, 2018

Uh oh!

justincormack commented Jun 29, 2018

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Jun 29, 2018

Uh oh!

nvcastet commented Jul 2, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thaJeztah commented Jul 3, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

codecov bot commented Jun 11, 2018 •

edited

Loading

nvcastet commented Jul 2, 2018 •

edited

Loading