Whitelist statx syscall #36417
Whitelist statx syscall #36417
Conversation
|
@AkihiroSuda I hope that worked. I am no go programmer. I am not used to having an autogenerated file in version control. |
thaJeztah
added
status/2-code-review
area/security/seccomp
and removed
status/0-triage
labels
|
ping @justincormack @n4ss PTAL |
|
Thats fine but note that you will need to install libseccomp-2.3.3 on the host for this to work, as I think that is the first version with |
What would be the effect when running on an older libseccomp? will it just ignore this configuration, and continue working as currently? |
|
LGTM! |
|
@thaJeztah I tried to emulate this case by whitelisting the fake syscall |
Thanks! Changes LGTM; could you squash your commits, so that there's a single commit in this PR? While doing so, perhaps you could update the commit message to also mention that this requires newer versions of libseccomp, and will be ignored by older ones |
Older seccomp versions will ignore this. Signed-off-by: NobodyOnSE <ich@sektor.selfip.com>
Codecov Report
@@ Coverage Diff @@
## master #36417 +/- ##
=========================================
Coverage ? 34.65%
=========================================
Files ? 613
Lines ? 45400
Branches ? 0
=========================================
Hits ? 15732
Misses ? 27607
Partials ? 2061 |
done
done |
|
@thaJeztah Is there an ETA or a planned release for this PR? |
|
@NobodyOnSE it was opened after code-freeze for Docker 18.03, so currently it will be included in the release after that (18.04) |
|
If you want to try a version with this patch, nightly builds should be available soon in the "nightly" channel (e.g. nightly builds for Ubuntu 16.04 https://download.docker.com/linux/ubuntu/dists/xenial/pool/nightly/amd64/) |
This whitelists the statx syscall; libseccomp-2.3.3 or up is needed for this, older seccomp versions will ignore this. Equivalent of moby/moby#36417 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This whitelists the statx syscall; libseccomp-2.3.3 or up is needed for this, older seccomp versions will ignore this. Equivalent of moby/moby#36417 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 8f8fd3c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This whitelists the statx syscall; libseccomp-2.3.3 or up is needed for this, older seccomp versions will ignore this. Equivalent of moby/moby#36417 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 8f8fd3c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously, moc calls fail with: standard input:0: Note: No relevant classes found. No output generated. Some relevant discussions suggest that statx functionality is needed [1], which is available with docker 18.04+ and libseccomp 2.3.3+ [2]. Ubuntu 16.04 do have libseccomp 2.4.1 [3]. Maybe Travis CI builders are just not updated. [1] Martchus/PKGBUILDs#54 [2] moby/moby#36417 [3] https://repology.org/project/libseccomp/versions
1. Adapted to arch-travis upstream changes [1] 2. Use Bionic (Ubuntu 18.04) on Travis CI Previously, moc calls fail with: standard input:0: Note: No relevant classes found. No output generated. Some relevant discussions suggest that statx functionality is needed [2], which is available with docker 18.04+ and libseccomp 2.3.3+ [3]. Ubuntu 16.04 do have libseccomp 2.4.1 [4]. Maybe Travis CI builders are just not updated. [1] mikkeloscar/arch-travis#65 [2] Martchus/PKGBUILDs#54 [3] moby/moby#36417 [4] https://repology.org/project/libseccomp/versions
1. Adapted to arch-travis upstream changes [1] 2. Use Bionic (Ubuntu 18.04) on Travis CI Previously, moc calls fail with: standard input:0: Note: No relevant classes found. No output generated. Some relevant discussions suggest that statx functionality is needed [2], which is available with docker 18.04+ and libseccomp 2.3.3+ [3]. Ubuntu 16.04 do have libseccomp 2.4.1 [4]. Maybe Travis CI builders are just not updated. [1] mikkeloscar/arch-travis#65 [2] Martchus/PKGBUILDs#54 [3] moby/moby#36417 [4] https://repology.org/project/libseccomp/versions
1. Adapted to arch-travis upstream changes [1] 2. Use Bionic (Ubuntu 18.04) on Travis CI Previously, moc calls fail with: standard input:0: Note: No relevant classes found. No output generated. Some relevant discussions suggest that statx functionality is needed [2], which is available with docker 18.04+ and libseccomp 2.3.3+ [3]. Ubuntu 16.04 do have libseccomp 2.4.1 [4]. Maybe Travis CI builders are just not updated. [1] mikkeloscar/arch-travis#65 [2] Martchus/PKGBUILDs#54 [3] moby/moby#36417 [4] https://repology.org/project/libseccomp/versions
... to fix issue moby/moby#36417
... to fix issue moby/moby#36417
... to fix issue moby/moby#36417
... to fix issue moby/moby#36417
Fixes issues #40 as recent versions of Docker are including moby/moby#36417.
Fixes issues #40 as recent versions of Docker are including moby/moby#36417.
Fixes issues #40 as recent versions of Docker are including moby/moby#36417.
Signed-off-by: NobodyOnSE ich@sektor.selfip.com
Edited via github's webeditor, so the signoff was done manually, I hope that is enough.
The need for this addition is explained in this SO post. In short: building a Qt 5.10.1 application fails in
mocbecause it usesstatxto find includes.- What I did
Added statx to whitelist of allowed syscalls.
- How I did it
Added it in the default.json for seccomp.
- How to verify it
Try to use
statxand don't get an EPERM anymore on non-privileged containers.- Description for the changelog
Whitelist statx syscall
- A picture of a cute animal (not mandatory but encouraged)