-
-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apparently now libseccomp defines the new syscall numbers. #1495
Conversation
Fascinating. Apparently |
It looks like these libseccomp commits got pushed to master yesterday. They include seccomp/libseccomp@d2ca11b, which defines Unfortunately, it gets defined to I'm also confused about why such a definition would exist for the Does anyone have a better understanding of what's going on here? @amluto? |
This seems to indicate that we should move our |
Yuck. They should not be injecting incorrect definitions like that. I'll
complain at them.
At some point we should drop libseccomp. It's problematic for a few
reasons.
|
Yeah uh IMO this is a security flaw in libseccomp -- presumably this means that if you build the supervisor against old headers, you silently end up with a sandbox that doesn't filter the newer syscalls. That's really bad! @amluto I'm always happy to indulge in more NIH. ;) |
Hmm actually I suspect what they're doing is making up for old kernel headers by falling back to internal tables. Presumably the weird negative value gets mapped through a table inside the library to get the correct value for the host platform. We should probably test to find out. It's still weird that they'd override the |
I filed: |
Closing due to #1672 |
This undoes #1488. Apparently the latest libseccomp now defines the values? I'm curious whether this will pass in Jenkins...