|
"fanotify_init", |
|
"lookup_dcookie", |
|
"quotactl", |
|
"quotactl_fd", |
|
"setdomainname", |
|
"sethostname", |
|
"setns" |
|
], |
|
"action": "SCMP_ACT_ALLOW", |
|
"args": [], |
|
"comment": "", |
|
"includes": { |
|
"caps": [ |
|
"CAP_SYS_ADMIN" |
|
] |
Prior to Linux 5.13 (and 5.10.220), calling fanotify_init()
required the CAP_SYS_ADMIN capability. Since Linux 5.13 (and
5.10.220), users may call fanotify_init() without the
CAP_SYS_ADMIN capability to create and initialize an fanotify
group with limited functionality.
https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html
The policy needs to be changed to allow this use case.
You can find ruby code to test the issue in moby/moby#49756. It's the equivalent issue to update the policy json for Moby.
common/pkg/seccomp/seccomp.json
Lines 694 to 708 in f01ad5b
https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html
The policy needs to be changed to allow this use case.
You can find ruby code to test the issue in moby/moby#49756. It's the equivalent issue to update the policy json for Moby.