This repository was archived by the owner on Jun 11, 2020. It is now read-only.
[17.06 backport] Update libseccomp-golang dependency for filter generation bugfix [ENGCORE-866]#12
Closed
thaJeztah wants to merge 3 commits intodocker-archive:17.06from
Closed
Conversation
Syscall argument handling was bugged in previous releases. Per-argument match rules were handled with OR logic when they should have used AND logic. The updated version of the bindings resolves this issue. As a side effect, the minimum supported version of Libseccomp has been raised from v2.1.0 to v2.2.0. Signed-off-by: Matthew Heon <mheon@redhat.com> (cherry picked from commit 03a5a74) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Matthew Heon <mheon@redhat.com> (cherry picked from commit bbc847a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Member
Author
|
@kolyshkin @andrewhsu PTAL not sure how to get CI (travis) running again on this one |
Signed-off-by: Matthew Heon <mheon@redhat.com> (cherry picked from commit 472fa3d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
17.06_backport_update_libseccomp_golang
branch
from
98bf9c5 to
67bdcdb
Compare
|
nevermind, it was just an issue of canonical path. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
addresses ENGCORE-866
backport of opencontainers#1424 for 17.06
A bug in Seccomp filter handling was recently identified in Moby related to handling of syscall arguments in Seccomp filters (moby/moby#32714). The bug was in the libseccomp-golang bindings, and has been fixed there. This PR updates the bindings to include this fix, and provides integration tests to catch regressions in this behavior.
The minimum supported version of libseccomp is bumped from v2.1.0 to v2.2.0 by associated changes to the bindings. Support for v2.1.0 was never very good (some features had to be gated off because of a library bug), though it is still the version provided by a few major distributions. If this change is contentious, I can see about backing out the changes that require v2.2.0.
This fixes CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND