Skip to content

seccomp: allow fanotify_init without CAP_SYS_ADMIN#2412

Merged
openshift-merge-bot[bot] merged 1 commit into
containers:mainfrom
giuseppe:enable-fanotify-init
Apr 7, 2025
Merged

seccomp: allow fanotify_init without CAP_SYS_ADMIN#2412
openshift-merge-bot[bot] merged 1 commit into
containers:mainfrom
giuseppe:enable-fanotify-init

Conversation

@giuseppe

@giuseppe giuseppe commented Apr 7, 2025

Copy link
Copy Markdown
Member

Closes: #2411

@giuseppe
seccomp: allow fanotify_init without CAP_SYS_ADMIN
8c41d98 
Closes: containers#2411

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@openshift-ci openshift-ci Bot added the approved label Apr 7, 2025
@giuseppe giuseppe mentioned this pull request Apr 7, 2025
Closed
@rhatdan

rhatdan commented Apr 7, 2025

Copy link
Copy Markdown
Member

LGTM

betelgeuse
betelgeuse reviewed Apr 7, 2025
View reviewed changes
Comment thread pkg/seccomp/seccomp.json
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_init",

@betelgeuse betelgeuse Apr 7, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This places no restrictions on the arguments. Will this allow a container running as root to make the kernel go OOM by using FAN_UNLIMITED_MARKS?

In other words do the restrictions described here need to be reflected in the policy?

The limitations imposed on an event listener created by a user without the CAP_SYS_ADMIN capability are as follows:

https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html

@giuseppe giuseppe Apr 7, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that requires CAP_SYS_ADMIN, we don't grant CAP_SYS_ADMIN by default, even for root

@betelgeuse betelgeuse Apr 7, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I assume then there's no underlying reason it was required to be in the list in the first place. Basically just duplication of the checks done by the kernel any way.

Luap99
Luap99 approved these changes Apr 7, 2025
View reviewed changes

@Luap99 Luap99 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Apr 7, 2025
@openshift-ci

openshift-ci Bot commented Apr 7, 2025

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 099375a into containers:main Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 approved these changes

+1 more reviewer

@betelgeuse betelgeuse betelgeuse left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Luap99 Luap99

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

seccomp policy should allow fanotify_init without CAP_SYS_ADMIN

4 participants

@giuseppe @rhatdan @betelgeuse @Luap99