-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp: Use explicit DefaultErrnoRet #42649
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Note that I also opened #42648, which might conflict with this one
@thaJeztah oh, nice PR. I was thinking to open an issue about doing something like that. Feel free to close this and cherry-pick the commit, then! Let me know if you prefer that or if I should polish this PR. Both options are fine for me :) |
If you don't mind the rebase (if my PR gets accepted, and merged first), then I'd say; keep this one open 👍 they're addressing different things, so it makes sense to review/merge separately. |
f0b7385
to
54182f8
Compare
@thaJeztah thanks a lot! I've just rebased on latest master, completed the PR description template and addressed the comments (I think :)). I've also run Let me know if there is anything else missing! Thanks again |
54182f8
to
cc607e7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
The CI failure seems unrelated to this PR, IIUC. |
cc607e7
to
eced734
Compare
@thaJeztah @justincormack PTAL. Now it is only one commit, brain fart on my end, it is not needed to change files in I did add the Please let me know what you think, sorry for the brain fart! :) |
So, switching the default to ENOSYS is probably a good thing overall (given that clone3 was missed with the seccomp update it seems the runc behaviour is suboptimal -- though in fairness we are fairly restrained by libseccomp limitations). However, there should be some inverse rules defined to return EPERM for syscalls that are explicitly being blocked (unfortunately due to libseccomp limitations some rules cannot be inverted, but most of the rules Docker uses can be -- I know some podman ones can't though). |
@cyphar thanks! The idea is to first add the Once this is merged I was planning to open an issue to discuss this, I can cc you when creating the issue :) |
Since commit "seccomp: Sync fields with runtime-spec fields" (5d24467) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos <[email protected]>
eced734
to
fb79416
Compare
Oh sorry I misread the title of the PR. Yeah that sounds good to me -- sorry for the noise! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Since commit "seccomp: Sync fields with runtime-spec fields"
(5d24467) we support to specify the
DefaultErrnoRet to be used.
Before that commit it was not specified and EPERM was used by default.
This commit keeps the same behaviour but just makes it explicit that the
default is EPERM.
Signed-off-by: Rodrigo Campos [email protected]
This a follow-up of #42604 (comment), as suggested by @thaJeztah. This just adds an explicit default to EPERM. Right now the default is EPERM but is implicit.
- What I did
Added the field
DefaultErrnoRet
to seccomp profiles- How I did it
Added the field to default profile in
profiles/seccomp/default_linux.go
, then adjusted the tests to expect this new field- How to verify it
You can run unit tests with:
TESTDIRS='github.com/docker/docker/profiles/seccomp' make test-unit
.You can also run
hack/validate/default-seccomp
to verify nothing was missing in the changes.- Description for the changelog
Add an explicit DefaultErrnoRet field in the default seccomp profile. No behavior change.
- A picture of a cute animal (not mandatory but encouraged)
![](https://camo.githubusercontent.com/2e16010b9ee249aa50858a4f02052c4b8aa2f14ded3f874d3df3895f34ab8094/68747470733a2f2f7777772e6b696e646572756e646a7567656e646d656469656e2e64652f696d616765732f52617461746f75696c6c655f70697861722e6a7067)