-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add clone3 to seccomp profile syscalls #11976
Conversation
started the job as gitpod-build-aledbf-clone3.1 because the annotations in the pull request description changed |
6ba2410
to
642d7fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As for the namespace, we still allow clone(2)
/ unshare
, so it is probably not a problem. The problem is CLONE_INTO_CGROUP
. But it seems that it is only used in the cgroup v2, and we are separating the host cgroup namespace from the user workspace cgroup namespace. So there are is no problem to allow clone3
@Furisto If you put into approve this PR, feel free |
@kylos101 We do not need to test it for cgroup v1. |
/unhold |
Related Issue(s)
Fixes #10703
Fixes #11963
Fixes #11964
How to test
docker run -it gitpod/workspace-full:latest bash
do not ends withSIGABRT
Release Notes
Werft options: