github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: always allow name_to_handle_at

Browse Source 
This syscall is used by systemd to request unique internal names for
paths in the cgroup hierarchy from the kernel, and is overall innocuous.

Due to [previous][1] [mistakes][2] in moby/moby, it ended up attached to
`CAP_SYS_ADMIN`; however, it should not be filtered at all.

An in-depth analysis is available [at moby/moby][3].

  [1]: a01c4dc8f8 (diff-6c0d906dbef148d2060ed71a7461907e5601fea78866e4183835c60e5d2ff01aR1627-R1639)
  [2]: c1ca124682
  [3]: https://github.com/moby/moby/pull/45766#pullrequestreview-1493908145

Co-authored-by: Vitor Anjos <bartier@users.noreply.github.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
This commit is contained in:
Bjorn Neergaard 2023-06-27 13:31:28 -06:00
parent 9b4ed8acc2
commit 9a202e342b
No known key found for this signature in database
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/seccomp/seccomp_default.go
View File

@ -237,6 +237,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"munlock", "munlock",
"munlockall", "munlockall",
"munmap", "munmap",
"name_to_handle_at",
"nanosleep", "nanosleep",
"newfstatat", "newfstatat",
"_newselect", "_newselect",
@ -585,7 +586,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"mount", "mount",
"mount_setattr", "mount_setattr",
"move_mount", "move_mount",
"name_to_handle_at",
"open_tree", "open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",