Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround

From: Christoph Hellwig
Date: Tue Nov 24 2020 - 08:37:34 EST


On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:
> This documents a way to safely use new security-related system calls
> while preserving compatibility with container runtimes that require
> insecure emulation (because they filter the system call by default).
> Admittedly, it is somewhat hackish, but it can be implemented by
> userspace today, for existing system calls such as faccessat2,
> without kernel or container runtime changes.

I think this is completely insane. Tell the OCI folks to fix their
completely broken specification instead.