Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround

From: Christoph Hellwig
Date: Tue Nov 24 2020 - 08:37:34 EST

Next message: Vlastimil Babka: "Re: [PATCH] mm: memory_hotplug: put migration failure information under DEBUG_VM"
Previous message: Michael Klein: "[PATCH v2] ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add poweroff node to DT"
In reply to: Florian Weimer: "Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround"
Next in thread: Florian Weimer: "Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:
> This documents a way to safely use new security-related system calls
> while preserving compatibility with container runtimes that require
> insecure emulation (because they filter the system call by default).
> Admittedly, it is somewhat hackish, but it can be implemented by
> userspace today, for existing system calls such as faccessat2,
> without kernel or container runtime changes.

I think this is completely insane. Tell the OCI folks to fix their
completely broken specification instead.

Next message: Vlastimil Babka: "Re: [PATCH] mm: memory_hotplug: put migration failure information under DEBUG_VM"
Previous message: Michael Klein: "[PATCH v2] ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add poweroff node to DT"
In reply to: Florian Weimer: "Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround"
Next in thread: Florian Weimer: "Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]