From: Christoph Hellwig <hch@infradead.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, dev@opencontainers.org,
corbet@lwn.net, Carlos O'Donell <carlos@redhat.com>
Subject: Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround
Date: Tue, 24 Nov 2020 13:37:19 +0000 [thread overview]
Message-ID: <20201124133719.GA30896@infradead.org> (raw)
In-Reply-To: <87lfer2c0b.fsf@oldenburg2.str.redhat.com>
On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:
> This documents a way to safely use new security-related system calls
> while preserving compatibility with container runtimes that require
> insecure emulation (because they filter the system call by default).
> Admittedly, it is somewhat hackish, but it can be implemented by
> userspace today, for existing system calls such as faccessat2,
> without kernel or container runtime changes.
I think this is completely insane. Tell the OCI folks to fix their
completely broken specification instead.
next prev parent reply other threads:[~2020-11-24 13:37 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 12:08 [PATCH] syscalls: Document OCI seccomp filter interactions & workaround Florian Weimer
2020-11-24 12:26 ` Christian Brauner
2020-11-24 12:54 ` Florian Weimer
2020-11-24 14:08 ` Mark Wielaard
2020-11-24 16:45 ` Christoph Hellwig
2020-11-24 17:06 ` Jann Horn
2020-11-24 17:15 ` Greg KH
2020-11-24 17:21 ` Christian Brauner
2020-11-24 17:30 ` Jann Horn
2020-11-24 17:44 ` Greg KH
2020-11-24 17:47 ` Jann Horn
2020-11-24 18:17 ` Florian Weimer
2020-11-24 18:02 ` Florian Weimer
2020-11-24 18:09 ` Florian Weimer
2020-11-24 12:58 ` Aleksa Sarai
2020-11-24 13:05 ` Florian Weimer
2020-11-24 13:37 ` Christoph Hellwig [this message]
2020-11-24 14:08 ` Florian Weimer
2020-11-24 16:46 ` Christoph Hellwig
2020-11-24 16:52 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201124133719.GA30896@infradead.org \
--to=hch@infradead.org \
--cc=carlos@redhat.com \
--cc=corbet@lwn.net \
--cc=dev@opencontainers.org \
--cc=fweimer@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.