Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

init: delay seccomp application as late as possible #1569

Merged
merged 2 commits into from Sep 7, 2017
Merged

init: delay seccomp application as late as possible #1569

merged 2 commits into from Sep 7, 2017

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Aug 24, 2017

This further reduces the number of syscalls that a user needs to enable
in their seccomp profile.

This mirrors the standard_init_linux.go seccomp code, which only applies
seccomp early if NoNewPrivileges is enabled. Otherwise it's done
immediately before execve to reduce the amount of syscalls necessary for
users to enable in their seccomp profiles.

Signed-off-by: Aleksa Sarai asarai@suse.de

@cyphar
init: move close(stateDirFd) before seccomp apply
3ddde27 
This further reduces the number of syscalls that a user needs to enable
in their seccomp profile.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
@cyphar
setns init: delay seccomp as late as possible
1f32fff 
This mirrors the standard_init_linux.go seccomp code, which only applies
seccomp early if NoNewPrivileges is enabled. Otherwise it's done
immediately before execve to reduce the amount of syscalls necessary for
users to enable in their seccomp profiles.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
@crosbymichael
Copy link
Member

crosbymichael commented Sep 7, 2017
edited by caniszczyk

LGTM

Approved with PullApprove

1 similar comment
@mrunalp
Copy link
Contributor

mrunalp commented Sep 7, 2017
edited by caniszczyk

LGTM

Approved with PullApprove

@mrunalp mrunalp merged commit deb9d7f into opencontainers:master Sep 7, 2017
@cyphar cyphar deleted the delay-seccomp branch September 8, 2017 02:38
@cyphar cyphar mentioned this pull request Feb 24, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cyphar @crosbymichael @mrunalp