Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add clone3 to seccomp profile syscalls #11976

Merged
merged 1 commit into from
Aug 10, 2022
Merged

Add clone3 to seccomp profile syscalls #11976

merged 1 commit into from
Aug 10, 2022

Conversation

aledbf
Copy link
Member

@aledbf aledbf commented Aug 8, 2022
edited

Related Issue(s)

Fixes #10703
Fixes #11963
Fixes #11964

How to test

  • Open a workspace and run
git clone https://github.com/ComplianceAsCode/content/
cd content/Dockerfiles
docker build -t test -f ubuntu .
  • Test command docker run -it gitpod/workspace-full:latest bash do not ends with SIGABRT

Release Notes

NONE

Werft options:

  • /werft with-preview

@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-aledbf-clone3.1 because the annotations in the pull request description changed
(with .werft/ from main)

@roboquat roboquat added size/S and removed size/XS labels Aug 8, 2022
@aledbf aledbf force-pushed the aledbf/clone3 branch 2 times, most recently from 6ba2410 to 642d7fb Compare August 8, 2022 23:36
@roboquat roboquat added size/XS and removed size/S labels Aug 9, 2022
@roboquat roboquat added size/S and removed size/XS labels Aug 9, 2022
@aledbf aledbf marked this pull request as ready for review August 9, 2022 01:15
@aledbf aledbf requested a review from a team August 9, 2022 01:15
@github-actions github-actions bot added the team: workspace Issue belongs to the Workspace team label Aug 9, 2022
@utam0k
Copy link
Contributor

utam0k commented Aug 9, 2022
edited

/hold until getting approval from @utam0k and @Furisto because this PR affects security aside. Of course, welcome comments from others.

utam0k
utam0k approved these changes Aug 9, 2022
View reviewed changes
Copy link
Contributor

@utam0k utam0k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As for the namespace, we still allow clone(2) / unshare, so it is probably not a problem. The problem is CLONE_INTO_CGROUP. But it seems that it is only used in the cgroup v2, and we are separating the host cgroup namespace from the user workspace cgroup namespace. So there are is no problem to allow clone3

@utam0k
Copy link
Contributor

utam0k commented Aug 10, 2022

@Furisto If you put into approve this PR, feel free /unhold.

@kylos101
Copy link
Contributor

@Furisto @utam0k does this need to be tested with cgroup v1? I ask for self-hosted customers.

@Furisto
Copy link
Member

Furisto commented Aug 10, 2022

@kylos101 We do not need to test it for cgroup v1.

@Furisto
Copy link
Member

Furisto commented Aug 10, 2022

/unhold

@roboquat roboquat merged commit 4ad0b81 into main Aug 10, 2022
@roboquat roboquat deleted the aledbf/clone3 branch August 10, 2022 15:27
@utam0k
Copy link
Contributor

utam0k commented Aug 12, 2022
edited by werft-gitpod-dev-com bot

@Furisto @utam0k does this need to be tested with cgroup v1? I ask for self-hosted customers.

We don't need it because it relates seccomp notify feature, not cgroup 👍

@roboquat roboquat added deployed: workspace Workspace team change is running in production deployed Change is completely running in production labels Aug 15, 2022
@kylos101 kylos101 mentioned this pull request Jan 24, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@utam0k utam0k utam0k approved these changes

@Furisto Furisto Furisto approved these changes

Assignees

@utam0k utam0k

@Furisto Furisto

Labels
deployed: workspace Workspace team change is running in production deployed Change is completely running in production release-note-none size/S team: workspace Issue belongs to the Workspace team
Projects
No open projects
🌌 Workspace Team
Status: Done
Milestone
No milestone
5 participants
@aledbf @utam0k @kylos101 @Furisto @roboquat