First Last Prev Next    This bug is not in your last search results.
Bug 52478 - add statx (sys call) to defaultr docker seccomp policy
add statx (sys call) to defaultr docker seccomp policy
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Docker
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-7-errata
Assigned To: Ole Schwiegert
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-10 15:05 CET by Felix Botner
Modified: 2020-12-16 16:03 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
univention-docker.patch (827 bytes, patch)
2020-12-10 15:06 CET, Felix Botner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2020-12-10 15:05:26 CET 
At least the veyon app need statx,  otherwise


-> docker run -it --rm --hostname ucssc-48913906  -p 11080:11080/tcp -v /var/lib/univention-appcenter/apps/ucsschool-veyon-proxy/conf:/var/lib/univention-appcenter/apps/ucsschool-veyon-proxy/conf -v /etc/apt/apt.conf.d/80proxy:/etc/apt/apt.conf.d/81proxy:ro -v /var/lib/univention-appcenter/apps/ucsschool-veyon-proxy/data:/var/lib/univention-appcenter/apps/ucsschool-veyon-proxy/data -v /sys/fs/cgroup:/sys/fs/cgroup:ro  --cap-add ALL --tmpfs /run --tmpfs /run/lock --security-opt seccomp:/etc/docker/seccomp-systemd.json -e container=docker  veyon/webapi-proxy:latest
PlatformPluginManager: no platform plugin available!
Aborted (core dumped)
Comment 1 Felix Botner univentionstaff 2020-12-10 15:06:39 CET 
Created attachment 10576 [details]
univention-docker.patch

works with this change
Comment 2 Ole Schwiegert univentionstaff 2020-12-13 22:41:04 CET 
Your proposal worked for our use case. I applied your patch and build it in the 4.4-7 errata scope:

Package: univention-docker
Version: 4.0.1-9A~4.4.0.202012132236
Branch: ucs_4.4-0
Scope: errata4.4-7
Comment 3 Daniel Tröder univentionstaff 2020-12-14 12:07:34 CET 
OK: Code change
OK: manual test: install ucsschool-veyon-proxy app from test-appcenter
OK: advisory

All fine so far, just waiting for Jenkins tests.
Comment 4 Daniel Tröder univentionstaff 2020-12-15 13:40:48 CET 
No problems in the 4.4-7 Jenkins jobs.
First Last Prev Next    This bug is not in your last search results.