New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix seccomp profile for clone syscall #39308
Conversation
ping @justincormack @KentaTada @estesp ptal |
@thaJeztah I think below example.json should also be modified. Thanks!
|
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Let me update that fixture used in the test |
All clone flags for namespace should be denied. Based-on-patch-by: Kenta Tada <Kenta.Tada@sony.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
b719c17
to
a1ec855
Compare
updated 👍 |
Codecov Report
@@ Coverage Diff @@
## master #39308 +/- ##
=========================================
Coverage ? 37.03%
=========================================
Files ? 612
Lines ? 45486
Branches ? 0
=========================================
Hits ? 16848
Misses ? 26353
Partials ? 2285 |
failures look unrelated |
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
based on containerd/containerd#3314
All clone flags for namespace should be denied.