This whitelists the statx syscall; libseccomp-2.3.3 or up
is needed for this, older seccomp versions will ignore this.
Equivalent of https://github.com/moby/moby/pull/36417
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
io_pgetevents() is a new Linux system call, similar to the already-whitelisted
io_getevents(). It has no security implications. Whitelist it so applications can
use the new system call.
Fixes#3105.
Signed-off-by: Avi Kivity <avi@scylladb.com>
This improves nvidia support for multiple uuids per container and fixes
the API to add individual capabilities.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This allows non-privileged users to use containerd. This is part of a
larger track of work integrating containerd into Cloudfoundry's garden
with support for rootless.
[#156343575]
Signed-off-by: Claudia Beresford <cberesford@pivotal.io>
As of opencontainers/runc@db093f621f runc
no longer depends on libapparmor thus libapparmor-dev no longer needs to
be installed to build it. Adjust the documentation accordingly.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
No capabilities can be granted outside the bounding set, so there
is no point looking at any other set for the largest scope.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Use golang:1.9, which should get the latest 1.9.x version,
instead of using a specific tag.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This adds default apparmor profile generation to the containerd client
so that profiles can be generated with a SpecOpt
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
