FS#49649 : [docker] enable seccomp

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#49649 - [docker] enable seccomp

Attached to Project: Community Packages
Opened by Pranay Kanwar (cpk) - Friday, 10 June 2016, 10:58 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 23 June 2016, 20:56 GMT

Task Type	Feature Request
Category	Packages
Status	Closed
Assigned To	Sébastien Luttringer (seblu)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

Current build does not enable seccomp for security profiles. Probably just need to add libseccomp as build dependency(?)
As per https://docs.docker.com/engine/security/seccomp/ , seccomp version needed is 2.2.1, repo has 2.3.1-1

Additional info:

* package version(s)

docker 1:1.11.2-1

* config and/or log files etc.

Steps to reproduce:

1. create a sample seccomp profile and execute docker run

$ cat tmp/test.json
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "accept",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "accept4",
"action": "SCMP_ACT_ALLOW",
"args": []
}
]
}
$ docker run --rm -it --security-opt seccomp=tmp/test.json alpine /bin/sh -c 'grep Seccomp /proc/self/status'
Seccomp: 0

2. Seccomp field in in /proc/self/status should be 2

This task depends upon

Closed by Sébastien Luttringer (seblu)
Thursday, 23 June 2016, 20:56 GMT
Reason for closing: Fixed

Comments (4)
Related Tasks (0/0)

Comment by Sébastien Luttringer (seblu) - Saturday, 18 June 2016, 01:20 GMT

Could you test if adding libseccomp is enough?

Comment by Pranay Kanwar (cpk) - Saturday, 18 June 2016, 08:10 GMT

Tested, did a new package build, doesn't look like its enough. Needed to add

export DOCKER_BUILDTAGS='seccomp'

Above https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/docker#n40

As per https://github.com/docker/docker/blob/master/project/PACKAGERS.md

pkg built with the above seccomp gets enabled and is working fine

$ docker run --rm -it --security-opt seccomp=tmp/permissive.json alpine /bin/sh -c 'grep Seccomp /proc/self/status'
Seccomp: 2

Comment by Sébastien Luttringer (seblu) - Monday, 20 June 2016, 22:47 GMT

let me know if docker-1:1.11.2-2 makes you happy.

Comment by Pranay Kanwar (cpk) - Thursday, 23 June 2016, 05:51 GMT

Yeah working great. Thanks

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Community Packages

FS#49649 - [docker] enable seccomp

Details

Loading...