common: seccomp: default profile has several duplicates
While working on updating the profile to include the changes I made in docker/docker#41889 I noticed that several syscalls are included in the main “allow for all containers” list and the “allow for container with these capabilities list”:
unshare,mount,umount, andumount2are forCAP_SYS_ADMINand all containers.rebootis permitted forCAP_SYS_BOOTand all containers.name_to_handle_atis permitted forCAP_SYS_ADMIN,CAP_SYS_NICE(?), and all containers.clonehas some compilcated rules forCAP_SYS_ADMINto blockCLONE_NEWUSERbut it’s enabled for all containers as well.
Should I remove these duplicates when updating the seccomp profile? I imagine these slipped through the net when the original profile was copied from Docker and then modified over time.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 19 (19 by maintainers)
Commits related to this issue
- Merge pull request #419 from flouthoc/retrofit-tests tests: dig request both `A` and `AAAA` record for specific cases — committed to M1cha/common by mheon 2 years ago
My suggestion is we table raw BPF as one thing on the list of many which we will bundle together as a mega-change for the runtime-spec. I think the seccomp stuff in the runtime-spec needs to be reworked pretty much from scratch since it has so many foot-guns as-is IMHO.
I’d prefer to not do all of these changes piece-meal because each change will add more back-compat we need to support forever, when in reality we should be trying to solve the whole problem upfront if we can.