New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp: allow specifying a custom profile with --privileged
#47500
base: master
Are you sure you want to change the base?
Conversation
64eb594
to
46119ea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is correct or incorrect yet. As of late we have been discussing how --privileged
and LSMs should combine (see the revival of #38075); so I'm registering my -1 for now until we decide how these options should (or should not) combine overall.
To clarify the background, I'm proposing this for capturing socket syscalls with This is not an attempt to harden privileged containers beyond as it is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM and I think this is correct design.
But we should verify that all the individually controllable options also bundled into --privileged
behave the same way. Atm. it looks like they do but it has not been verified and ideally should have individual test cases.
It would also be nice if there was a clear security scope definition(if there isn't already) , for example https://github.com/moby/buildkit/blob/master/PROJECT.md#security-boundary that would make it clear that --privileged
is still considered insecure for security, no matter if you also use a different flag as well.
@neersighted do you have a strong objection against this one? Overall, I think it's fine to do this, and it seems like a more logical option than silently discarding the user's preference (we should either error or accept, not "discard"). We should make sure that we're clear in the docs what the expectation is though; @dvdksn has a PR pending in the CLI; I think that one is "good enough" for now, but we should probably outline that even if we accept options like this, a |
Ah, circling back, we talked about this in a recent maintainers' call, and my takeaway is we probably should allow it, but we'd like to figure out what the semantics for all security-opt combinations with I don't necessarily think we need to block everything on reaching that ideal state, but given there is more and more demand re: combining or decomposing |
fc7e984
to
33c7952
Compare
135cc87
to
9db3f21
Compare
`--privileged --security-opt seccomp=<CUSTOM.json>` was ignoring `<CUSTOM.json>`. Fix issue 47499 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- What I did
Fix #47499
- How I did it
Updated
daemon/seccomp_linux.go
- How to verify it
"Operation not permitted" is the expected error here.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)
🐧