-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp: add CloneNewCgroup to check sysCloneFlagsIndex #694
seccomp: add CloneNewCgroup to check sysCloneFlagsIndex #694
Conversation
I don't understand why pullapprove was failed but I signed off. |
FYI, @vbatts @crosbymichael |
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
This commit changes the value of seccomp test for clone syscall. Also hardcoded values should be changed because it is unclear to understand what flags are tested. Related issues: * containerd/containerd#3314 * moby/moby#39308 * opencontainers/runtime-tools#694 Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
@KentaTada can you please rebase this? |
All clone flags should be denied as default profile. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
a32e1e5
to
7fdb100
Compare
Rebased. Thanks. |
close/reopen to kick ci |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
All clone flags should be denied as default profile.
Also x/sys should be used instead of syscall.
Signed-off-by: Kenta Tada Kenta.Tada@sony.com