diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-08-19 23:29:03 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-19 23:29:03 +0200 |
| commit | 9ac3a03d041161bed934ca0259fb70072b9cd8d0 (patch) | |
| tree | d3c934cf8ff2a6caf78a51f931034ec57d0089be | |
| parent | 1deb4d1d70efb6d62f4fe5e735c94523f930b6d7 (diff) | |
| parent | c50d37bc1045f1a493c89137eb1139cf5d910e0f (diff) | |
| download | podman-9ac3a03d041161bed934ca0259fb70072b9cd8d0.tar.gz podman-9ac3a03d041161bed934ca0259fb70072b9cd8d0.tar.bz2 podman-9ac3a03d041161bed934ca0259fb70072b9cd8d0.zip | |
Merge pull request #7381 from baude/v2CIFix
Fix v2.0.x CI
| -rw-r--r-- | contrib/cirrus/lib.sh | 5 | ||||
| -rw-r--r-- | seccomp.json | 60 |
2 files changed, 32 insertions, 33 deletions
diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index c77eaca12..2619a144e 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -393,6 +393,11 @@ install_test_configs() { # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/ install -v -D -m 644 ./test/registries.conf /etc/containers/ + # This needs to removed when we have a seccomp profile + # that works on ubuntu with runc + if [[ -f "seccomp.json" ]]; then + install -v -D -m 644 ./seccomp.json /usr/share/containers + fi } # Remove all files provided by the distro version of podman. diff --git a/seccomp.json b/seccomp.json index fd0681a86..ba129383d 100644 --- a/seccomp.json +++ b/seccomp.json @@ -65,9 +65,11 @@ "chmod", "chown", "chown32", + "clock_adjtime", "clock_getres", "clock_gettime", "clock_nanosleep", + "clone", "close", "connect", "copy_file_range", @@ -167,6 +169,7 @@ "io_setup", "io_submit", "ipc", + "keyctl", "kill", "lchown", "lchown32", @@ -218,6 +221,7 @@ "pause", "pipe", "pipe2", + "pivot_root", "poll", "ppoll", "prctl", @@ -329,6 +333,7 @@ "sync_file_range", "syncfs", "sysinfo", + "syslog", "tee", "tgkill", "time", @@ -525,7 +530,8 @@ "names": [ "s390_pci_mmio_read", "s390_pci_mmio_write", - "s390_runtime_instr" + "s390_runtime_instr", + "clone" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -565,7 +571,6 @@ "setdomainname", "sethostname", "setns", - "syslog", "umount", "umount2", "unshare" @@ -678,6 +683,23 @@ }, { "names": [ + "get_mempolicy", + "mbind", + "name_to_handle_at", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + }, + { + "names": [ "acct" ], "action": "SCMP_ACT_ALLOW", @@ -726,7 +748,9 @@ "names": [ "settimeofday", "stime", - "clock_settime" + "clock_settime", + "clock_adjtime", + "adjtimex" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -751,36 +775,6 @@ ] }, "excludes": {} - }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "excludes": {} - }, - { - "names": [ - "syslog" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYSLOG" - ] - }, - "excludes": {} } ] } |