Skip to content
This repository was archived by the owner on May 30, 2023. It is now read-only.

app-emulation/runc: remove patches disabling NNP and seccomp#1055

Merged
iaguis merged 2 commits intomainfrom
iaguis/remove-nnp-patch
Jun 15, 2021
Merged

app-emulation/runc: remove patches disabling NNP and seccomp#1055
iaguis merged 2 commits intomainfrom
iaguis/remove-nnp-patch

Conversation

@iaguis
Copy link
Copy Markdown
Contributor

@iaguis iaguis commented Jun 14, 2021

These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.

Instead, we'll disable SELinux support in the Docker daemon in the next
commit.

iaguis added 2 commits June 14, 2021 16:22
@iaguis
app-emulation/runc: remove patches disabling NNP and seccomp
c55114d 
These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.

Instead, we'll disable SELinux support in the Docker daemon in the next
commit.
@iaguis
app-emulation/docker: disable SELinux
956f975 
We disable SELinux because Flatcar doesn't properly support it and it
was causing labeling problems when running runc containers with
NoNewPrivileges or seccomp.
@sayanchowdhury
Copy link
Copy Markdown
Contributor

sayanchowdhury commented Jun 14, 2021

I've triggered a CI build, will check the results tomorrow.

http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/2807/

@sayanchowdhury
Copy link
Copy Markdown
Contributor

sayanchowdhury commented Jun 15, 2021
edited
Loading

CI Passed: http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/2807/cldsv/

t-lo
t-lo approved these changes Jun 15, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@t-lo t-lo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you.!

@iaguis iaguis merged commit 5c3a2d5 into main Jun 15, 2021
@iaguis iaguis deleted the iaguis/remove-nnp-patch branch June 15, 2021 14:57
@dongsupark
Copy link
Copy Markdown
Contributor

dongsupark commented Jun 15, 2021

Looks good, thanks!

sayanchowdhury added a commit that referenced this pull request Jun 15, 2021
@sayanchowdhury
Merge pull request #1055 from kinvolk/coreos-overlay
84bf9d6 
app-emulation/runc: remove patches disabling NNP and seccomp
@tormath1 tormath1 mentioned this pull request Jul 30, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@dongsupark dongsupark Awaiting requested review from dongsupark

2 more reviewers

@t-lo t-lo t-lo approved these changes

@sayanchowdhury sayanchowdhury sayanchowdhury approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@iaguis @sayanchowdhury @dongsupark @t-lo