From: Florian Weimer <fweimer@redhat.com>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: "Dmitry V. Levin" <ldv@altlinux.org>,
Petr Vorel <pvorel@suse.cz>,
libc-alpha@sourceware.org, Fabian Vogt <fvogt@suse.com>,
Andreas Schwab <schwab@suse.de>,
Kir Kolyshkin <kolyshkin@gmail.com>,
Ladislav Slezak <lslezak@suse.com>
Subject: Re: [RFC PATCH] Linux: Workaround seccomp() issue with faccessat2()
Date: Mon, 01 Mar 2021 12:54:09 +0100 [thread overview]
Message-ID: <87wnurgkda.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <20210228075615.vx7vomaqshipal75@yavin.dot.cyphar.com> (Aleksa Sarai's message of "Sun, 28 Feb 2021 18:56:15 +1100")
* Aleksa Sarai:
> It should also be noted that we fixed this in runc a month ago[1], which
> means that it's up to distributions and cloud vendors to update their
> runc packages to the latest version or backport the patch.
>
> Docker's packaging hasn't been updated to use the latest runc yet
> (that'll happen in the next patch release), but distributions can ship
> newer runc versions -- that's what we do in openSUSE.
>
> [1]: https://github.com/opencontainers/runc/pull/2750
There are some indications that not all container runtimes will pick up
the runc kludge (thanks for developing that by the way). So it's likely
that the general issue will be with us for a while longer. Maybe the
competitive pressure from other working container runtimes will
encourage other re-evaluate their approach, I don't know.
We still don't plan to throw in downstream-only glibc patches to paper
over this (given that it's been rejected by kernel and glibc developers
alike, I really think it's the wrong way to go). So far management
isn't breathing down our necks.
Thanks,
Florian
next prev parent reply other threads:[~2021-03-01 11:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 19:47 Petr Vorel
2021-02-25 22:38 ` Dmitry V. Levin
2021-02-26 4:11 ` Petr Vorel
2021-02-28 6:03 ` Mike Frysinger
2021-02-28 7:56 ` Aleksa Sarai
2021-03-01 11:54 ` Florian Weimer [this message]
2021-03-04 8:27 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnurgkda.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=cyphar@cyphar.com \
--cc=fvogt@suse.com \
--cc=kolyshkin@gmail.com \
--cc=ldv@altlinux.org \
--cc=libc-alpha@sourceware.org \
--cc=lslezak@suse.com \
--cc=pvorel@suse.cz \
--cc=schwab@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).