RPM: use default seccomp.json profiles

containers / common

Location for shared common files in github.com/containers repos.

Apache License 2.0

183 stars 189 forks source link

RPM: use default seccomp.json profiles #2169

Closed lsm5 closed 1 week ago

lsm5 commented 1 week ago

keyctl is in ALLOW by default and socket should not always be ALLOW, per @giuseppe.

This change removes seccomp.json customizations and we'll use the distro's default seccomp profile.

lsm5 commented 1 week ago

@jnovy @giuseppe @Luap99 @rhatdan @mtrmac PTAL.

openshift-ci[bot] commented 1 week ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, lsm5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/containers/common/blob/main/OWNERS)~~ [giuseppe] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

lsm5 commented 1 week ago

LGTM, although I like to know the reason why this was added in the first place.

@jnovy mentioned it was originally added in the rhel 8.2 days because support was asking for it. And about 4 years ago, Dan added those to the skopeo package (back when it was skopeo-containers) , and it had stayed since.

rhatdan commented 1 week ago

/lgtm

rhatdan commented 1 week ago

I don't recall this, but seems right to me.

lsm5 commented 1 week ago

/cherrypick v0.60

lsm5 commented 1 week ago

cherrypick bot is being slow for whatever reason. @giuseppe do we want this to land in Fedora in the next v0.60 release if there's one?