From: Florian Weimer <fweimer@redhat.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-api@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, dev@opencontainers.org,
corbet@lwn.net, Carlos O'Donell <carlos@redhat.com>
Subject: Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround
Date: Tue, 24 Nov 2020 15:08:09 +0100 [thread overview]
Message-ID: <87k0ua26gm.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <20201124133719.GA30896@infradead.org> (Christoph Hellwig's message of "Tue, 24 Nov 2020 13:37:19 +0000")
* Christoph Hellwig:
> On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:
>> This documents a way to safely use new security-related system calls
>> while preserving compatibility with container runtimes that require
>> insecure emulation (because they filter the system call by default).
>> Admittedly, it is somewhat hackish, but it can be implemented by
>> userspace today, for existing system calls such as faccessat2,
>> without kernel or container runtime changes.
>
> I think this is completely insane. Tell the OCI folks to fix their
> completely broken specification instead.
Do you categorically reject the general advice, or specific instances as
well? Like this workaround for faccessat that follows the pattern I
outlined:
<https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html>
I value your feedback and want to make sure I capture it accurately.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
next prev parent reply other threads:[~2020-11-24 14:08 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 12:08 [PATCH] syscalls: Document OCI seccomp filter interactions & workaround Florian Weimer
2020-11-24 12:26 ` Christian Brauner
2020-11-24 12:54 ` Florian Weimer
2020-11-24 14:08 ` Mark Wielaard
2020-11-24 16:45 ` Christoph Hellwig
2020-11-24 17:06 ` Jann Horn
2020-11-24 17:15 ` Greg KH
2020-11-24 17:21 ` Christian Brauner
2020-11-24 17:30 ` Jann Horn
2020-11-24 17:44 ` Greg KH
2020-11-24 17:47 ` Jann Horn
2020-11-24 18:17 ` Florian Weimer
2020-11-24 18:02 ` Florian Weimer
2020-11-24 18:09 ` Florian Weimer
2020-11-24 12:58 ` Aleksa Sarai
2020-11-24 13:05 ` Florian Weimer
2020-11-24 13:37 ` Christoph Hellwig
2020-11-24 14:08 ` Florian Weimer [this message]
2020-11-24 16:46 ` Christoph Hellwig
2020-11-24 16:52 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0ua26gm.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=carlos@redhat.com \
--cc=corbet@lwn.net \
--cc=dev@opencontainers.org \
--cc=hch@infradead.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.