Skip to content

seccomp: allow fanotify_init without CAP_SYS_ADMIN #2412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Apr 7, 2025
Merged

seccomp: allow fanotify_init without CAP_SYS_ADMIN #2412

openshift-merge-bot merged 1 commit into from
Apr 7, 2025

Conversation

@giuseppe
Copy link
Member

@giuseppe giuseppe commented Apr 7, 2025

Closes: #2411

@giuseppe
seccomp: allow fanotify_init without CAP_SYS_ADMIN
8c41d98 
Closes: containers#2411

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@openshift-ci openshift-ci bot added the approved label Apr 7, 2025
@giuseppe giuseppe mentioned this pull request Apr 7, 2025
Closed
@rhatdan
Copy link
Member

rhatdan commented Apr 7, 2025

LGTM

betelgeuse
betelgeuse reviewed Apr 7, 2025
View reviewed changes
pkg/seccomp/seccomp.json
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_init",
Copy link

@betelgeuse betelgeuse Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This places no restrictions on the arguments. Will this allow a container running as root to make the kernel go OOM by using FAN_UNLIMITED_MARKS?

In other words do the restrictions described here need to be reflected in the policy?

The limitations imposed on an event listener created by a user without the CAP_SYS_ADMIN capability are as follows:

https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html

Copy link
Member Author

@giuseppe giuseppe Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that requires CAP_SYS_ADMIN, we don't grant CAP_SYS_ADMIN by default, even for root

Copy link

@betelgeuse betelgeuse Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I assume then there's no underlying reason it was required to be in the list in the first place. Basically just duplication of the checks done by the kernel any way.

Luap99
Luap99 approved these changes Apr 7, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 7, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 099375a into containers:main Apr 7, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 approved these changes

+1 more reviewer

@betelgeuse betelgeuse betelgeuse left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Luap99 Luap99

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

seccomp policy should allow fanotify_init without CAP_SYS_ADMIN

4 participants

@giuseppe @rhatdan @betelgeuse @Luap99