Skip to content
This repository has been archived by the owner on Aug 14, 2020. It is now read-only.

spec: add seccomp isolator for Linux #529

Closed
jonboulle opened this issue Oct 15, 2015 · 3 comments · Fixed by #621
Closed

spec: add seccomp isolator for Linux #529

jonboulle opened this issue Oct 15, 2015 · 3 comments · Fixed by #621
Labels
area/spec component/executor spec/isolators

Comments

@jonboulle
Copy link
Contributor

It would be nice to expose seccomp isolators to allow apps/pods running on Linux to restrict the permitted set of system calls.

http://man7.org/linux/man-pages/man2/seccomp.2.html
https://en.wikipedia.org/wiki/Seccomp
@alban alban mentioned this issue Oct 15, 2015
Closed
@jessfraz jessfraz mentioned this issue Apr 21, 2016
Merged
@alban alban mentioned this issue May 8, 2016
Closed
4 tasks
@alban
Copy link
Member

alban commented May 31, 2016

Should we make use of the syscall groups on those issues?

xref kubernetes/kubernetes#24602

/cc @lucab @jfrazelle

@lucab
Copy link
Contributor

lucab commented May 31, 2016

I drafted up an initial proposal for seccomp support in #620, feel free to comment there. It already allows for custom groups, under scoped namespaces.

@lucab lucab mentioned this issue Jun 2, 2016
Merged
@lucab
Copy link
Contributor

lucab commented Jun 2, 2016

Moved to proposal stage, spec and code now at #621.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/spec component/executor spec/isolators
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ace: add Linux-specific seccomp isolator lucab/spec
3 participants
@alban @lucab @jonboulle