-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile #37242
Conversation
ping @justincormack PTAL |
@nvcastet looks like you need to regenerate some files;
|
(and likely squash the two commits) |
profiles/seccomp/default.json
Outdated
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you will need to keep the original file ending without a new line to get the validation to work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
profiles/seccomp/seccomp_default.go
Outdated
Names: []string{ | ||
"get_mempolicy", | ||
"mbind", | ||
"name_to_handle_at", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name_to_handle_at
is nothing to do with CAP_SYS_NICE
it is gated by CAP_DAC_READ_SEARCH
and there are other reasons for excluding it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@justincormack I am totally fine removing it. But in that case the documentation would need to be updated at https://docs.docker.com/engine/security/seccomp/. Search for name_to_handle_at
, it is mentioned Already gated by CAP_SYS_NICE.
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened docker/docs#6854
6d17fd4
to
d6b767f
Compare
Codecov Report
@@ Coverage Diff @@
## master #37242 +/- ##
=========================================
Coverage ? 35.32%
=========================================
Files ? 609
Lines ? 45011
Branches ? 0
=========================================
Hits ? 15898
Misses ? 26959
Partials ? 2154 |
@thaJeztah Would you know why the
|
Looks like that one is marked "flaky"; #32673 |
701d53b
to
700b4b4
Compare
@thaJeztah Thanks. Do you know if it is possible to retrigger just the PR jobs that failed (here janky and windowsRS1)? |
* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
700b4b4
to
47dfff6
Compare
Hm, CI doesn't seem to restart; I asked internally if someone has access to do so @justincormack PTAL |
Failure on PowerPC can be ignored;
|
LGTM ! |
@thaJeztah @justincormack Anything else needed to merge this PR? |
Its slightly odd gating these all by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@nvcastet will you do a follow up PR in the documentation repo? |
@thaJeztah Documentation PR was created at: docker/docs#6861 |
Thanks! Failures look to be flaky tests, so I'll go ahead and merge |
https://docs.docker.com/engine/security/seccomp/
Signed-off-by: Nicolas V Castet nvcastet@us.ibm.com