| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <874kle3nwt.fsf@oldenburg2.str.redhat.com>
Date: Tue, 24 Nov 2020 14:05:54 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Aleksa Sarai <cyphar@...har.com>
Cc: linux-api@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, dev@...ncontainers.org,
corbet@....net, Carlos O'Donell <carlos@...hat.com>
Subject: Re: [PATCH] syscalls: Document OCI seccomp filter interactions &
workaround
* Aleksa Sarai:
> As I mentioned in the runc thread[1], this is really down to Docker's
> default policy configuration. The EPERM-everything behaviour in OCI was
> inherited from Docker, and it boils down to not having an additional
> seccomp rule which does ENOSYS for unknown syscall numbers (Docker can
> just add the rule without modifying the OCI runtime-spec -- so it's
> something Docker can fix entirely on their own). I'll prepare a patch
> for Docker this week.
Appreciated, thanks.
> IMHO it's also slightly overkill to change the kernel API design
> guidelines in response to this issue.
>
> [1]: https://github.com/opencontainers/runc/issues/2151
Won't this cause docker to lose OCI compliance? Or is the compliance
testing not that good?
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
Powered by blists - more mailing lists