| Message ID | 20170505032340.26467-4-famz@redhat.com |
|---|---|
| State | New |
| Headers | show |
Fam Zheng <famz@redhat.com> writes: > Some by default blocked syscalls are required to run tests for example > userfaultfd. Is there any way the tests could DoS the host? I guess you could achieve the same running the iotests directly from make but it does seem we should confine the docker guest as much as possible. > > Signed-off-by: Fam Zheng <famz@redhat.com> > --- > tests/docker/Makefile.include | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include > index 0ed8c3d..09d157c 100644 > --- a/tests/docker/Makefile.include > +++ b/tests/docker/Makefile.include > @@ -127,6 +127,7 @@ docker-run: docker-qemu-src > $(call quiet-command, \ > $(SRC_PATH)/tests/docker/docker.py run \ > $(if $(NOUSER),,-u $(shell id -u)) -t \ > + --security-opt seccomp=unconfined \ > $(if $V,,--rm) \ > $(if $(DEBUG),-i,--net=none) \ > -e TARGET_LIST=$(TARGET_LIST) \ -- Alex Bennée
On Fri, 05/05 09:27, Alex Bennée wrote: > > Fam Zheng <famz@redhat.com> writes: > > > Some by default blocked syscalls are required to run tests for example > > userfaultfd. > > Is there any way the tests could DoS the host? I guess you could achieve > the same running the iotests directly from make but it does seem we > should confine the docker guest as much as possible. I don't know the answer to the security question, but if a confined docker environment is full of pitfalls and unpleasant to work with, it won't grow that much. Patchew runs this in a VM, so it's not a big problem to me. > > > > > Signed-off-by: Fam Zheng <famz@redhat.com> > > --- > > tests/docker/Makefile.include | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include > > index 0ed8c3d..09d157c 100644 > > --- a/tests/docker/Makefile.include > > +++ b/tests/docker/Makefile.include > > @@ -127,6 +127,7 @@ docker-run: docker-qemu-src > > $(call quiet-command, \ > > $(SRC_PATH)/tests/docker/docker.py run \ > > $(if $(NOUSER),,-u $(shell id -u)) -t \ > > + --security-opt seccomp=unconfined \ > > $(if $V,,--rm) \ > > $(if $(DEBUG),-i,--net=none) \ > > -e TARGET_LIST=$(TARGET_LIST) \ > > > -- > Alex Bennée
Hi Fam, Alex, Paolo, On 05/05/2017 12:23 AM, Fam Zheng wrote: > Some by default blocked syscalls are required to run tests for example > userfaultfd. > > Signed-off-by: Fam Zheng <famz@redhat.com> > --- > tests/docker/Makefile.include | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include > index 0ed8c3d..09d157c 100644 > --- a/tests/docker/Makefile.include > +++ b/tests/docker/Makefile.include > @@ -127,6 +127,7 @@ docker-run: docker-qemu-src > $(call quiet-command, \ > $(SRC_PATH)/tests/docker/docker.py run \ > $(if $(NOUSER),,-u $(shell id -u)) -t \ > + --security-opt seccomp=unconfined \ I think this should be an option in the matrix, and eventually run tests using userfaultfd() apart. $(if $(UNCONFINED),,--security-opt seccomp=unconfined) I'm having the same problem with getcontext() using x32 ABI. > $(if $V,,--rm) \ > $(if $(DEBUG),-i,--net=none) \ > -e TARGET_LIST=$(TARGET_LIST) \ > Regards, Phil.
diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include index 0ed8c3d..09d157c 100644 --- a/tests/docker/Makefile.include +++ b/tests/docker/Makefile.include @@ -127,6 +127,7 @@ docker-run: docker-qemu-src $(call quiet-command, \ $(SRC_PATH)/tests/docker/docker.py run \ $(if $(NOUSER),,-u $(shell id -u)) -t \ + --security-opt seccomp=unconfined \ $(if $V,,--rm) \ $(if $(DEBUG),-i,--net=none) \ -e TARGET_LIST=$(TARGET_LIST) \
Some by default blocked syscalls are required to run tests for example userfaultfd. Signed-off-by: Fam Zheng <famz@redhat.com> --- tests/docker/Makefile.include | 1 + 1 file changed, 1 insertion(+)