-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qm: add seccomp json also deny sched_setscheduler #362
Conversation
Also i don't think this change is entirely right. By removing the ALLOW for setschedule you're triggering the default operation, which is return ENOSYS. I think the proper thing is to move the setschedule to the syscall list just above it that generates EPERM instead. You can probably do this with based on the original json with some creative use of jq. |
Seems qm.service failed:
I wonder what the error code is. |
I cannot see why it's failing in the CI systems (no systemctl status from QM), I will try to reproduce locally on CentOS. |
Updated the patch seems related to ExecPreStart, now I am getting the below message.
cc @rhatdan should we avoid this approach? I am trying to make sure in a scenario containers-common package get updated with new seccomp.json rules we also update qm in a start/restart/reboot using ExecPreStart running qm-seccomp tool, not only in the initial qm setup. Just a note: Setting setenforce 0 makes qm start just run fine. |
What are the AVC's you are seeing? |
|
@Yarboa could be a cache in the CI/CD machines? I see:
|
talked with @alexlarsson , no need to do on qm systemd unit. I will redo this part of the patch and update here. |
Signed-off-by: Douglas Schilling Landgraf <[email protected]>
The solution works, without the patch I don't see the "Operation not permitted".
The test program:
@alexlarsson @rhatdan @Yarboa ready for review. |
@rhatdan the selinux issue I shared seems related to try to start qm service without setup complete 100%. I will create an issue. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dougsland
Did i get it right?
setup generates qm partition seccomp.json based on host seccomp.json
Once created, qm quadlet call the qm partition seccomp.json in podman args parameters
correct. |
Patch originally from talk with @alexlarsson