ManaSugi
commented
2 years ago @vbatts @kolyshkin @mrunalp I’d appreciate it if you could review this.
Closed ManaSugi closed 2 years ago
ManaSugi
commented
2 years ago @vbatts @kolyshkin @mrunalp I’d appreciate it if you could review this.
rhatdan
commented
2 years ago @vbatts @kolyshkin @mrunalp @giuseppe PTAL
kolyshkin
commented
2 years ago close/reopen to re-kick CI
Separate each syscall condition (argument) for personality syscall into a single rule because the libseccomp can only compare each condition once in a single rule. Otherwise, the adding returns EINVAL on failure. In order to address the failure, general OCI runtimes such as runc add each condition as a separate rule if two or more conditions have the same conditions, but this is a way for keeping compatibility (old behavior). Hence, it will lead wrong behavior because the conditions for the rules will be logical-OR instead of logical-AND. In case of the OCI tests for personality syscall, we should explicitly separate the conditions into a single rule as logical-OR for container runtimes that do not support the above old behavior.
Ref. https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html
Signed-off-by: Manabu Sugimoto Manabu.Sugimoto@sony.com