First Last Prev Next    This bug is not in your last search results.
Bug 57093 - Default docker seccomp rules are not sufficient for images that use glibc >=2.34
Default docker seccomp rules are not sufficient for images that use glibc >=2.34
Status: NEW
Product: UCS
Classification: Unclassified
Component: Docker
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: App Center maintainers
App Center maintainers
https://git.knut.univention.de/univen...
:
Depends on: 55360
Blocks: 56649
  Show dependency treegraph
 
Reported: 2024-02-28 11:39 CET by Julia Bremer
Modified: 2024-02-28 11:39 CET (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2024-02-28 11:39:01 CET 
+++ This bug was initially created as a clone of Bug #55360 +++
In Bug #55360 we added the syscalls clone3 and facaccesstat2 to /etc/docker/seccomp-systemd.json, so that docker images using glibc >=2.34 can be started when using this seccomp profile.

This seccomp profile is given to (single-container) apps by the appcenter. 
Every multi-container app still needs to specify the seccomp profile manually to work.
On docker build, the default (not sufficient) seccomp rules are used and building docker images fails.

We could define our /etc/docker/seccomp-systemd.json as the default seccomp profile in the docker daemon, then we wouldn't get any issues about that.


If someone experiences weird problems using "newer" containers on 5.0, doing this helps to mitigate these issues:

ucr set docker/daemon/default/json='{"seccomp-profile": "/etc/docker/seccomp-systemd.json"}'
systemctl restart docker.service
First Last Prev Next    This bug is not in your last search results.