-
I think we need to rework the approach towards seccomp because the stub workaround I came up earlier this year in opencontainers/runc#2750 seems to not be doing a great job of solving the problem (may…
-
**This is a design limitation, without an immediate fix.**
## Summary
(Rewritten for clarity)
- Users of cdxgen are known to run the tool against both trusted and untrusted codebases
- cdxgen …
-
Gimp 2.10.10 fails to load (hangs without any output).
Firejail version 0.9.58.2 on Arch Linux. Runs fine with `--noprofile`. Disabling `seccomp` in `gimp.profile` fixes the issue.
-
### Is your feature request related to a problem? Please describe.
1. You can not add system-wide overrides for .profile/.inc files
2. You normally should not modify installed .profile files, movi…
-
Given the concept of least privilege, have you thought about setting a mode in the process that creates a profile where the default action is `SCMP_ACT_ERRNO` and then explicitly list syscalls for the…
-
Hi,
I've noticed that on my systems (fedora, debian, alpine) it's possible to get network admin privileges in a user namespace within a container:
```
$ podman run --rm -ti docker.io/alpine
/ # …
-
Make it possible for anyone to be able to run Poplog inside a GitPod workspace from a suitable repo e.g. https://github.com/GetPoplog/ghcs.git (will need renaming).
- [x] Set up a repo to investiga…
-
#3883 and #3806 could be related
When running `firejail --profile=/etc/firejail/nuclear.profile nuclear` I get `The SUID sandbox helper binary was found, but is not configured correctly. Rather tha…
-
### Community Note
* Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the…
-
Adding the seccomp:unconfined parameter is not getting passed to the container.
Parameters allow for label/apparmor however adding a parameter as: label:seccomp:unconfined does not work also.