Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#49649 - [docker] enable seccomp
Attached to Project:
Community Packages
Opened by Pranay Kanwar (cpk) - Friday, 10 June 2016, 10:58 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 23 June 2016, 20:56 GMT
Opened by Pranay Kanwar (cpk) - Friday, 10 June 2016, 10:58 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 23 June 2016, 20:56 GMT
|
DetailsDescription:
Current build does not enable seccomp for security profiles. Probably just need to add libseccomp as build dependency(?) As per https://docs.docker.com/engine/security/seccomp/ , seccomp version needed is 2.2.1, repo has 2.3.1-1 Additional info: * package version(s) docker 1:1.11.2-1 * config and/or log files etc. Steps to reproduce: 1. create a sample seccomp profile and execute docker run $ cat tmp/test.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] } ] } $ docker run --rm -it --security-opt seccomp=tmp/test.json alpine /bin/sh -c 'grep Seccomp /proc/self/status' Seccomp: 0 2. Seccomp field in in /proc/self/status should be 2 |
This task depends upon
export DOCKER_BUILDTAGS='seccomp'
Above https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/docker#n40
As per https://github.com/docker/docker/blob/master/project/PACKAGERS.md
pkg built with the above seccomp gets enabled and is working fine
$ docker run --rm -it --security-opt seccomp=tmp/permissive.json alpine /bin/sh -c 'grep Seccomp /proc/self/status'
Seccomp: 2