diff options
Diffstat (limited to 'runsc')
| -rw-r--r-- | runsc/boot/filter/config.go | 12 | ||||
| -rw-r--r-- | runsc/boot/filter/config_amd64.go | 8 | ||||
| -rw-r--r-- | runsc/boot/loader_amd64.go | 1 | ||||
| -rw-r--r-- | runsc/boot/loader_arm64.go | 1 | ||||
| -rw-r--r-- | runsc/main.go | 13 |
5 files changed, 26 insertions, 9 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index b5bd61a3a..677356193 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -38,9 +38,15 @@ var allowedSyscalls = seccomp.SyscallRules{ syscall.CLONE_THREAD), }, }, - syscall.SYS_CLOSE: {}, - syscall.SYS_DUP: {}, - syscall.SYS_DUP3: {}, + syscall.SYS_CLOSE: {}, + syscall.SYS_DUP: {}, + syscall.SYS_DUP3: []seccomp.Rule{ + { + seccomp.AllowAny{}, + seccomp.AllowAny{}, + seccomp.AllowValue(0), + }, + }, syscall.SYS_EPOLL_CREATE1: {}, syscall.SYS_EPOLL_CTL: {}, syscall.SYS_EPOLL_PWAIT: []seccomp.Rule{ diff --git a/runsc/boot/filter/config_amd64.go b/runsc/boot/filter/config_amd64.go index 058d9c264..5335ff82c 100644 --- a/runsc/boot/filter/config_amd64.go +++ b/runsc/boot/filter/config_amd64.go @@ -24,8 +24,8 @@ import ( ) func init() { - allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{ - {seccomp.AllowValue(linux.ARCH_GET_FS)}, - {seccomp.AllowValue(linux.ARCH_SET_FS)}, - } + allowedSyscalls[syscall.SYS_ARCH_PRCTL] = append(allowedSyscalls[syscall.SYS_ARCH_PRCTL], + seccomp.Rule{seccomp.AllowValue(linux.ARCH_GET_FS)}, + seccomp.Rule{seccomp.AllowValue(linux.ARCH_SET_FS)}, + ) } diff --git a/runsc/boot/loader_amd64.go b/runsc/boot/loader_amd64.go index d16d20d89..b9669f2ac 100644 --- a/runsc/boot/loader_amd64.go +++ b/runsc/boot/loader_amd64.go @@ -14,7 +14,6 @@ // +build amd64 -// Package boot loads the kernel and runs a container. package boot import ( diff --git a/runsc/boot/loader_arm64.go b/runsc/boot/loader_arm64.go index 8712e764a..cf64d28c8 100644 --- a/runsc/boot/loader_arm64.go +++ b/runsc/boot/loader_arm64.go @@ -14,7 +14,6 @@ // +build arm64 -// Package boot loads the kernel and runs a container. package boot import ( diff --git a/runsc/main.go b/runsc/main.go index 711f60d4f..4682b308c 100644 --- a/runsc/main.go +++ b/runsc/main.go @@ -26,6 +26,7 @@ import ( "path/filepath" "strings" "syscall" + "time" "flag" @@ -237,6 +238,18 @@ func main() { log.SetLevel(log.Debug) } + // Logging will include the local date and time via the time package. + // + // On first use, time.Local initializes the local time zone, which + // involves opening tzdata files on the host. Since this requires + // opening host files, it must be done before syscall filter + // installation. + // + // Generally there will be a log message before filter installation + // that will force initialization, but force initialization here in + // case that does not occur. + _ = time.Local.String() + subcommand := flag.CommandLine.Arg(0) var e log.Emitter |