-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp: officially define the list of syscalls required by runc itself #2097
Comments
It would be great to have a set of syscalls required for that. We recently hit the exact issue in our GSoC project (tracing syscalls via eBPF). We collected the following syscalls in runc while we need the syscalls after
|
To run
However, this list still doesn't seem enough to run the image with a spec generated by Docker. (runc version: 425e105) |
Interesting. Maybe the execution paths are slightly different. I used
|
This seems the minimal requirement for {
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64"
],
"syscalls": [
{
"names": [
"capget",
"capset",
"chdir",
"close",
"epoll_pwait",
"execve",
"fchown",
"fstat",
"futex",
"getdents64",
"getppid",
"newfstatat",
"openat",
"prctl",
"read",
"setgid",
"setgroups",
"setuid",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
} docker version:
|
We have moved the seccomp application stage a few times, so you might end up with some fairly weird results. In theory the only place where we need syscalls is in the last few stages after |
There are some syscalls that needs to be enabled to use seccomp mode, but currently these syscalls are not documented.
Also wondering OCI Runtime Spec needs to be revised https://github.com/opencontainers/runtime-spec/blob/a950415649c735f9fd9ec3b8869efef24b67cef4/config-linux.md#seccomp
The text was updated successfully, but these errors were encountered: