Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix seccomp profile for clone syscall #39308

Merged
merged 1 commit into from Jun 4, 2019
Merged

Fix seccomp profile for clone syscall #39308

merged 1 commit into from Jun 4, 2019

Conversation

thaJeztah
Copy link
Member

based on containerd/containerd#3314

All clone flags for namespace should be denied.

@thaJeztah
Copy link
Member Author

ping @justincormack @KentaTada @estesp ptal

@thaJeztah thaJeztah mentioned this pull request Jun 3, 2019
Merged
@KentaTada KentaTada mentioned this pull request Jun 4, 2019
Merged
@KentaTada
Copy link
Contributor

@thaJeztah I think below example.json should also be modified. Thanks!

moby/profiles/seccomp/fixtures/example.json

Line 10 in 3d21b86

"value": 2080505856,

KentaTada pushed a commit to KentaTada/runc that referenced this pull request Jun 4, 2019
libcontainer: change seccomp test for clone syscall
89d0205 
This commit changes the value of seccomp test for clone syscall.
Also hardcoded values should be changed because it is unclear to
understand what flags are tested.

Related issues:

* containerd/containerd#3314
* moby/moby#39308
* opencontainers/runtime-tools#694

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
@KentaTada KentaTada mentioned this pull request Jun 4, 2019
Merged
KentaTada pushed a commit to KentaTada/runc that referenced this pull request Jun 4, 2019
libcontainer: change seccomp test for clone syscall
b54fd85 
This commit changes the value of seccomp test for clone syscall.
Also hardcoded values should be changed because it is unclear to
understand what flags are tested.

Related issues:

* containerd/containerd#3314
* moby/moby#39308
* opencontainers/runtime-tools#694

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
estesp
estesp approved these changes Jun 4, 2019
View reviewed changes
Copy link
Contributor

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member Author

Let me update that fixture used in the test

@thaJeztah
Fix seccomp profile for clone syscall
a1ec855 
All clone flags for namespace should be denied.

Based-on-patch-by: Kenta Tada <Kenta.Tada@sony.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

updated 👍

@codecov
Copy link

codecov bot commented Jun 4, 2019

Codecov Report

❗ No coverage uploaded for pull request base (master@c13dab6). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #39308   +/-   ##
=========================================
  Coverage          ?   37.03%           
=========================================
  Files             ?      612           
  Lines             ?    45486           
  Branches          ?        0           
=========================================
  Hits              ?    16848           
  Misses            ?    26353           
  Partials          ?     2285

@thaJeztah
Copy link
Member Author

failures look unrelated

@thaJeztah thaJeztah merged commit a74eb9c into moby:master Jun 4, 2019
@thaJeztah thaJeztah deleted the fix_clone_seccomp_cgroupns branch June 4, 2019 18:11
mauriciovasquezbernal pushed a commit to kinvolk/runc that referenced this pull request Jul 23, 2019
@mauriciovasquezbernal
libcontainer: change seccomp test for clone syscall
07802a7 
This commit changes the value of seccomp test for clone syscall.
Also hardcoded values should be changed because it is unclear to
understand what flags are tested.

Related issues:

* containerd/containerd#3314
* moby/moby#39308
* opencontainers/runtime-tools#694

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
adrianreber pushed a commit to adrianreber/runc that referenced this pull request Aug 6, 2019
@adrianreber
libcontainer: change seccomp test for clone syscall
8b9139a 
This commit changes the value of seccomp test for clone syscall.
Also hardcoded values should be changed because it is unclear to
understand what flags are tested.

Related issues:

* containerd/containerd#3314
* moby/moby#39308
* opencontainers/runtime-tools#694

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
stefanberger pushed a commit to stefanberger/runc that referenced this pull request Dec 31, 2019
@stefanberger
libcontainer: change seccomp test for clone syscall
a33a2a0 
This commit changes the value of seccomp test for clone syscall.
Also hardcoded values should be changed because it is unclear to
understand what flags are tested.

Related issues:

* containerd/containerd#3314
* moby/moby#39308
* opencontainers/runtime-tools#694

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
@thaJeztah thaJeztah added this to the 20.03.0 milestone Apr 2, 2020
@thaJeztah thaJeztah mentioned this pull request Aug 24, 2020
Closed
@achimnol achimnol mentioned this pull request Feb 24, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justincormack justincormack justincormack approved these changes

@estesp estesp estesp approved these changes

Assignees
No one assigned
Labels
area/security/seccomp area/security impact/changelog process/cherry-picked status/4-merge
Projects
None yet
Milestone
20.10.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@thaJeztah @KentaTada @justincormack @estesp @GordonTheTurtle