Skip to content

seccomp: allow 'rseq' syscall in default seccomp profile #41158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2020
Merged

seccomp: allow 'rseq' syscall in default seccomp profile #41158

merged 1 commit into from
Jun 26, 2020

Conversation

Flowdalic
Copy link
Contributor

@Flowdalic Flowdalic commented Jun 26, 2020
edited
Loading

Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: systemd/systemd@6fee3be

@Flowdalic Flowdalic force-pushed the allow-rseq-seccomp branch from 8141fef to ed8836d Compare June 26, 2020 13:38
thaJeztah
thaJeztah requested changes Jun 26, 2020
View reviewed changes
@thaJeztah
Copy link
Member

@justincormack PTAL

@Flowdalic
seccomp: allow 'rseq' syscall in default seccomp profile
d0d99b0 
Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: systemd/systemd@6fee3be

Signed-off-by: Florian Schmaus <flo@geekplace.eu>
@Flowdalic Flowdalic force-pushed the allow-rseq-seccomp branch from ed8836d to d0d99b0 Compare June 26, 2020 14:06
thaJeztah
thaJeztah approved these changes Jun 26, 2020
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

(chatted with @justincormack, and he was ok with adding this)

@thaJeztah thaJeztah added this to the 20.03.0 milestone Jun 26, 2020
@thaJeztah
Copy link
Member

@Flowdalic you'll likely want this in the containerd seccomp profile as well; https://github.com/containerd/containerd/tree/master/contrib/seccomp. Let me know if you want to open a PR there, or want me to open one

@thaJeztah thaJeztah merged commit b24f170 into moby:master Jun 26, 2020
@Flowdalic Flowdalic mentioned this pull request Jun 26, 2020
Merged
@Flowdalic
Copy link
Contributor Author

@thaJeztah Thanks for pointing this out. I've created containerd/containerd#4347

@Flowdalic Flowdalic deleted the allow-rseq-seccomp branch June 26, 2020 15:13
@thaJeztah thaJeztah mentioned this pull request Aug 24, 2020
Closed
@achimnol achimnol mentioned this pull request Feb 24, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justincormack justincormack justincormack approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
area/security/seccomp impact/changelog process/cherry-picked status/4-merge
Projects
None yet
Milestone
20.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Flowdalic @thaJeztah @justincormack