Re: How to disable seccomp in systemd-nspawn?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mi, 24.06.20 23:13, Mohan R (mohan43u@xxxxxxxxx) wrote:

> Hi,
>
> How to disable seccomp in systemd-nspawn? I'm facing issue while
> running fuse-overlayfs and I reported it

You can't disable seccomp right now.

> https://github.com/containers/fuse-overlayfs/issues/220#issuecomment-648865831
>
> Developer asked me to check if the container is seccomp filtered, as
> suspected systemd-nspawn put the container inside seccomp faltered
> (Seccomp: 2). But I'm not able to get the list of filtered syscalls or
> I'm not able to find out why 'openat2()' is returning EPERM inside the
> systemd-nspawn container.

We implement a system call allow list, i.e. everything that isn't
explicitly allowed is denied. You can use --system-call-filter=openat2
to allow a specific syscall on top of our defaults, i.e. extend the
allow list, or remove entries from it.

Generic application code should have fallbacks in place when it comes
to new system calls such as openat2(), if they are supposed to work on
kernels that aren't the very newest or in containerized environments,
since pretty much all of them employ a syscall filter allow list these
days.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux