-
Notifications
You must be signed in to change notification settings - Fork 539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp: should valueTwo be required with SCMP_CMP_MASKED_EQ? #971
Comments
Either of these would work, although I personally prefer the first.
I think this is a good idea, as long as we make it clear that the requirement only applies to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
valueTwo
is listed asOPTIONAL
. And in the Go it's listed asomitempty
.As a result, docker's seccomp policy will be encoded as this:
If the spec was generated by a Go program, you can assume that
valueTwo
is0
.But if it was generated in any other way, it could be a malformed configuration.
Since it's potentially a critical security piece, I don't want to have to guess.
I think the spec should be more explicit in what to do if
op == SCMP_CMP_MASKED_EQ
, some ideas:valueTwo
could beREQUIRED
for thisop
, it would require using a pointer in the Golang struct.valueTwo
defaults to0
for thisop
.valueTwo
could be required to be unset for all otherops
.The text was updated successfully, but these errors were encountered: