Whitelist statx syscall

[NobodyOnSE]

Signed-off-by: NobodyOnSE ich@sektor.selfip.com

Edited via github's webeditor, so the signoff was done manually, I hope that is enough.

The need for this addition is explained in this SO post. In short: building a Qt 5.10.1 application fails in moc because it uses statx to find includes.

- What I did
Added statx to whitelist of allowed syscalls.

- How I did it
Added it in the default.json for seccomp.

- How to verify it
Try to use statx and don't get an EPERM anymore on non-privileged containers.

- Description for the changelog
Whitelist statx syscall

- A picture of a cute animal (not mandatory but encouraged)

[AkihiroSuda]

This is autogenerated file.

Please edit seccomp_dewfault.go and run go generate

[NobodyOnSE]

@AkihiroSuda I hope that worked. I am no go programmer. I am not used to having an autogenerated file in version control.

[thaJeztah]

ping @justincormack @n4ss PTAL

[justincormack]

Thats fine but note that you will need to install libseccomp-2.3.3 on the host for this to work, as I think that is the first version with statx support.

[thaJeztah]

Thats fine but note that you will need to install libseccomp-2.3.3 on the host for this to work, as I think that is the first version with statx support.

What would be the effect when running on an older libseccomp? will it just ignore this configuration, and continue working as currently?

[n4ss]

LGTM!

[NobodyOnSE]

@thaJeztah I tried to emulate this case by whitelisting the fake syscall nonsense and got no error message. The container started as intended. Furthermore, the seccomp filter still seems to work as I got EPERM on a non whitelisted syscall.

[thaJeztah]

I tried to emulate this case by whitelisting the fake syscall nonsense and got no error message. The container started as intended. Furthermore, the seccomp filter still seems to work as I got EPERM on a non whitelisted syscall.

Thanks!

Changes LGTM; could you squash your commits, so that there's a single commit in this PR? While doing so, perhaps you could update the commit message to also mention that this requires newer versions of libseccomp, and will be ignored by older ones

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@2f7a76a). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #36417   +/-   ##
=========================================
  Coverage          ?   34.65%           
=========================================
  Files             ?      613           
  Lines             ?    45400           
  Branches          ?        0           
=========================================
  Hits              ?    15732           
  Misses            ?    27607           
  Partials          ?     2061

[NobodyOnSE]

could you squash your commits,

done

update the commit message to also mention that this requires newer versions of libseccomp, and will be ignored by older ones

done

[thaJeztah]

LGTM, thanks!

[NobodyOnSE]

@thaJeztah Is there an ETA or a planned release for this PR?

[thaJeztah]

@NobodyOnSE it was opened after code-freeze for Docker 18.03, so currently it will be included in the release after that (18.04)

[thaJeztah]

If you want to try a version with this patch, nightly builds should be available soon in the "nightly" channel (e.g. nightly builds for Ubuntu 16.04 https://download.docker.com/linux/ubuntu/dists/xenial/pool/nightly/amd64/)