Skip to content

seccomp: whitelist quotactl with CAP_SYS_ADMIN #34445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yongtang merged 1 commit into from
Aug 9, 2017
Merged

seccomp: whitelist quotactl with CAP_SYS_ADMIN #34445

yongtang merged 1 commit into from
Aug 9, 2017

Conversation

@pmoust
Copy link
Contributor

@pmoust pmoust commented Aug 8, 2017
edited
Loading

The quotactl syscall is being whitelisted in default seccomp profile,
gated by CAP_SYS_ADMIN.

Signed-off-by: Panagiotis Moustafellos pmoust@elastic.co

Fixes: #34444

@thaJeztah
Copy link
Member

thaJeztah commented Aug 8, 2017

ping @justincormack PTAL

@pmoust pmoust force-pushed the f-seccomp-quotacl branch 2 times, most recently from c20d047 to 9f0f9f7 Compare August 9, 2017 09:55
@thaJeztah
Copy link
Member

thaJeztah commented Aug 9, 2017

This probably requires changes in the documentation for the next release;

@pmoust could you also open a pull request for the documentation in the vnext-engine branch of the documentation repository? https://github.com/docker/docker.github.io/blob/vnext-engine/engine/security/seccomp.md

@pmoust
seccomp: whitelist quotactl with CAP_SYS_ADMIN
cf6e1c5 
The quotactl syscall is being whitelisted in default seccomp profile,
gated by CAP_SYS_ADMIN.

Signed-off-by: Panagiotis Moustafellos <pmoust@elastic.co>
@pmoust pmoust force-pushed the f-seccomp-quotacl branch from 9f0f9f7 to cf6e1c5 Compare August 9, 2017 15:53
@pmoust pmoust changed the title seccomp: whitelist quotacl with CAP_SYS_ADMIN seccomp: whitelist quotactl with CAP_SYS_ADMIN Aug 9, 2017
thaJeztah
thaJeztah approved these changes Aug 9, 2017
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes LGTM though

@pmoust can you do a follow up for the documentation changes?

pmoust added a commit to pmoust/docker.github.io that referenced this pull request Aug 9, 2017
@pmoust
Update on quotactl in default seccomp profile docs
a6cff82 
Updated the description of reasons why `quotactl` is blocked by the
default seccomp profile.

Ref: http://man7.org/linux/man-pages/man2/quotactl.2.html

Rel: moby/moby#34445

Signed-off-by: Panagiotis Moustafellos <pmoust@elastic.co>
pmoust added a commit to pmoust/docker.github.io that referenced this pull request Aug 9, 2017
@pmoust
Update on quotactl in default seccomp profile docs
b8af0e4 
Updated the description of reasons why `quotactl` is blocked by the
default seccomp profile.

Ref: http://man7.org/linux/man-pages/man2/quotactl.2.html

Rel: moby/moby#34445

Signed-off-by: Panagiotis Moustafellos <pmoust@elastic.co>
@pmoust pmoust mentioned this pull request Aug 9, 2017
Closed
@pmoust
Copy link
Contributor Author

pmoust commented Aug 9, 2017

@thaJeztah Doc PR at docker/docs#4139

@justincormack I had made a typo, fixed in cf6e1c5, you might also wanna check on the followup doc PR as the description changed to better reflect the reason why quotactl is blacklisted in the default seccomp profile.

@yongtang yongtang merged commit bbb401d into moby:master Aug 9, 2017
pmoust added a commit to pmoust/docker.github.io that referenced this pull request Aug 10, 2017
@pmoust
Update on quotactl in default seccomp profile docs
76c5a0c 
Updated the description of reasons why `quotactl` is blocked by the
default seccomp profile.

Ref: http://man7.org/linux/man-pages/man2/quotactl.2.html

Rel: moby/moby#34445

Signed-off-by: Panagiotis Moustafellos <pmoust@elastic.co>
@pmoust pmoust deleted the f-seccomp-quotacl branch August 10, 2017 10:12
@pmoust pmoust mentioned this pull request Feb 8, 2018
Closed
@thaJeztah thaJeztah mentioned this pull request Aug 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

+1 more reviewer

@justincormack justincormack justincormack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/security/seccomp area/security docs/revisit impact/changelog impact/documentation status/4-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pmoust @thaJeztah @justincormack @yongtang @GordonTheTurtle