!56 docker:add clone3 to seccomp whitelist to fix curl failed in X86

From: @Vanient Reviewed-by: @jianminw Signed-off-by: @jianminw
2021-09-08 09:36:12 +00:00 · 2021-09-08 09:36:12 +00:00 · 8c7be812cf
commit 8c7be812cf
parent 704395add0 7b18fd9382
5 changed files with 40 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.116
+18.09.0.117
--- a/docker.spec
+++ b/docker.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 116
+Release: 117
 Summary: The open-source application container engine
 Group: Tools/Docker

@ -212,6 +212,12 @@ fi
 %endif

 %changelog
+* Wed Sep 08 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-117
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add clone3 to seccomp whitelist to fix curl failed in X86
+
 * Fri Sep 03 2021 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-116
 - Type:bugfix
 - CVE:NA
--- a/2
+++ b/2
@ -1 +1 @@
-fe98eb898c92a27f02439bc043b071aaadaf3f6e
+cfb8513e11e19660d19486f6a4ac25516f1413cd
--- a/patch/0192-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
+++ b/patch/0192-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
@ -0,0 +1,30 @@
+From 376f6a9de2dcbf9605c23409a880eb3534af6ffa Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Wed, 8 Sep 2021 09:04:31 +0800
+Subject: [PATCH] docker: add clone3 to seccomp whitelist to fix curl failed in
+ X86
+
+After kernel upgrade to 5.10, clone3 is defined. But if clone3 is not added
+to docker seccomp whitelist, clone3 calling will be rejected in container, which
+causes some commands like curl returns error.
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ components/engine/profiles/seccomp/seccomp_default.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index 60550124..ac81c2e0 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -449,6 +449,7 @@ func DefaultProfile() *types.Seccomp {
+ 		{
+ 			Names: []string{
+ 				"modify_ldt",
+				"clone3",
+ 			},
+ 			Action: types.ActAllow,
+ 			Args:   []*types.Arg{},
+-- 
+2.27.0
+
--- a/series.conf
+++ b/series.conf
@ -189,4 +189,5 @@ patch/0188-docker-check-containerd-pid-before-kill-it.patch
 patch/0189-docker-fix-Access-to-remapped-root-allows-privilege-.patch
 patch/0190-docker-fix-CVE-2021-21285.patch
 patch/0191-rollback-if-docker-restart-when-doing-BlkDiscard.patch
+patch/0192-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
 #end