github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
4a36022e20
containerd/contrib/seccomp
History
Bjorn Neergaard 9a202e342b
seccomp: always allow name_to_handle_at 
This syscall is used by systemd to request unique internal names for
paths in the cgroup hierarchy from the kernel, and is overall innocuous.

Due to [previous][1] [mistakes][2] in moby/moby, it ended up attached to
`CAP_SYS_ADMIN`; however, it should not be filtered at all.

An in-depth analysis is available [at moby/moby][3].

  [1]: a01c4dc8f8 (diff-6c0d906dbef148d2060ed71a7461907e5601fea78866e4183835c60e5d2ff01aR1627-R1639)
  [2]: c1ca124682
  [3]: https://github.com/moby/moby/pull/45766#pullrequestreview-1493908145

Co-authored-by: Vitor Anjos <bartier@users.noreply.github.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-28 05:50:24 -06:00
..
kernelversion allow ptrace(2) by default for kernel >= 4.8 2022-04-18 20:45:29 +00:00
seccomp_default_unsupported.go chore: use go fix to cleanup old +build buildtag 2022-12-29 14:25:14 +08:00
seccomp_default.go seccomp: always allow name_to_handle_at 2023-06-28 05:50:24 -06:00
seccomp.go refactor: move from io/ioutil to io and os package 2021-09-21 09:50:38 +08:00