Skip to content

[20.10 backport] seccomp: always allow name_to_handle_at(2)#45835

Merged
neersighted merged 2 commits intomoby:20.10from
neersighted:backport/45766/20.10
Jun 28, 2023
Merged

[20.10 backport] seccomp: always allow name_to_handle_at(2)#45835
neersighted merged 2 commits intomoby:20.10from
neersighted:backport/45766/20.10

Conversation

@neersighted
Copy link
Copy Markdown
Member

@neersighted neersighted commented Jun 27, 2023
edited
Loading

Warning
Tiny merge conflict due to a lack of #42005

closes #45518

Hi there, this is my first PR here, so please feel free to point me out if anything is wrong with this contribution. I looked the #45518 issue and I believe this could be a fix.

- What I did
Removed the function from the filtered syscalls as name_to_handle_at(2) is in fact innocuous and safe

- How I did it
@neersighted help at comment

- How to verify it
N/A

- Description for the changelog

Remove name_to_handle_at(2) from filtered syscalls

- A picture of a cute animal (not mandatory but encouraged)
image

@bartier @neersighted
remove name_to_handle_at(2) from filtered syscalls
45a8248 
Signed-off-by: Vitor Anjos <bartier@users.noreply.github.com>
(cherry picked from commit fdc9b7c)
Resolved conflicts:
	profiles/seccomp/default_linux.go
Co-Authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
@neersighted neersighted added this to the 20.10.26 milestone Jun 27, 2023
@neersighted neersighted mentioned this pull request Jun 27, 2023
Merged
@neersighted neersighted marked this pull request as draft June 28, 2023 11:35
@neersighted
seccomp: add name_to_handle_at to allowlist
a480b37 
Based on the analysis on [the previous PR][1].

  [1]: moby#45766 (review)

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit b335e3d)
Resolved conflicts:
	profiles/seccomp/default_linux.go
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
@neersighted neersighted marked this pull request as ready for review June 28, 2023 11:48
@neersighted neersighted changed the title [20.10 backport] remove name_to_handle_at(2) from filtered syscalls [20.10 backport] seccomp: always allow name_to_handle_at(2) Jun 28, 2023
@neersighted
Copy link
Copy Markdown
Member Author

neersighted commented Jun 28, 2023

@corhere Are you okay with bringing this back to 20.10?

@neersighted
Copy link
Copy Markdown
Member Author

neersighted commented Jun 28, 2023

Vendor issue is a flake.

@neersighted neersighted merged commit a3debee into moby:20.10 Jun 28, 2023
@neersighted neersighted deleted the backport/45766/20.10 branch June 28, 2023 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corhere corhere corhere approved these changes

@tianon tianon Awaiting requested review from tianon

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda

+1 more reviewer

@bartier bartier bartier approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/security/seccomp impact/changelog

Projects

None yet

Milestone

20.10.26

Development

Successfully merging this pull request may close these issues.

6 participants

@neersighted @corhere @bartier @tianon @thaJeztah @AkihiroSuda