[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#56359: seccomp test failures on RHEL 9.0
|
From: |
Lars Ingebrigtsen |
|
Subject: |
bug#56359: seccomp test failures on RHEL 9.0 |
|
Date: |
Tue, 11 Oct 2022 21:47:28 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Paul Eggert <eggert@cs.ucla.edu> writes:
> My "fix" involved allowing all uses of clone3, which (as Philipp noted
> in August) is problematic. I'm not sure what's being tested for, but
> if clone3 lets you evade the checks then the test is arguably more
> trouble than it's worth. Would marking it as :unstable lessen the
> number of false alarms we're getting? If not, perhaps we should remove
> it or mark it as :dont-use-unless-you-know-what-youre-doing or
> whatever.
And pidfd_open also sounds like a non-safe call (without looking at it
closely).
Skimming the tests, they seem to test pretty basic functionality in the
seccomp area -- that is, without allowing pidfd_open/clone3, nothing
will be able to run using the seccomp functionality. But since those
are somewhat unsafe, then... what's the point?
But I may be missing how this is supposed to be used altogether.