Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SEGSEGV with recent kernel and seccomp #106
We did a bit of digging to find it with @romainreuillon but the manpage helped:
This seems to work as filters that can't be unset when set. Setting one to 0 disables the filter and enables children processes to actually capture the event.
We're not experts in low-level stuff unfortunately so don't take our word for granted.
Regarding this issue, maybe this could help:
Glad it helped @Gnurou. Please note though that early performance tests we've been running suggest a significant performance drop when disabling Seccomp (something like 4 times as slow on a IO heavy application).
So we need to find an actual solution to re-enable seccomp in the future. #helpwanted ;)
Hi, After posting the question, I decided to look at it over the weekend and I come out with this dirty solution changing tracee/event.c which seems to work ok. Maybe can help you to find a better solution.
I'm using proot for udocker (https://github.com/indigo-dc/udocker) a tool to run docker containers without privileges.
referenced this issue
Mar 22, 2017
added a commit
Jun 27, 2017
referenced this issue
Sep 30, 2017
Redirection of folders visible to applications with hardcoded expectations (eg. Arduino, emacs, FireFox, Slic3r, Cura, Pronterface, etc), is an essential feature for ensuring these applications can be configured for a specific purpose (eg. https://github.com/mirage335/MarlinBuilder/blob/master/launchArduino) .
PRoot's methods and syntax present the logical solution to this problem, yet, it has not been acceptably reliable for production use, if for no other reason than this bug report has been allowed to remain open for more than a year.
Ubiquitous Bash is significantly inspired as a workaround to this bug report, and after approximately four months intensive development, is now operational on Linux systems, especially Debian Stretch. Application virtualization, with file parameter translation and permission dropping, is supported. Several virtualization backends are available to chose from, including ChRoot, QEMU, VirtualBox, and Docker, all working with the same raw VM image. If for any reason one of these backends is unsuitable or unavailable, an alternative can be launched within seconds.