!335 [sync] PR-330: docker:add clone3 seccomp whitelist for arm64

From: @openeuler-sync-bot Reviewed-by: @zhangsong234 Signed-off-by: @zhangsong234
2024-08-02 10:08:44 +00:00 · 2024-08-02 10:08:44 +00:00 · 3c585dd996
commit 3c585dd996
parent 88ca467f92 6e938d7183
5 changed files with 51 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.339
+18.09.0.340
--- a/docker.spec
+++ b/docker.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 339
+Release: 340
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@ -227,6 +227,12 @@ fi
 %endif

 %changelog
+* Fri Aug 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-340
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add clone3 seccomp whitelist for arm64
+
 * Fri Jul 26 2024 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-339
 - Type:CVE
 - CVE:CVE-2024-41110
--- a/2
+++ b/2
@ -1 +1 @@
-bb54f3063f3fc856630a6f3d5a52bf065d5eb045
+29173030b7e118013ed3e8a3773492c40928bb9c
--- a/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
+++ b/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
@ -0,0 +1,41 @@
+From c2bc614038532cfbd1db9bfe8ff3949b1867a5c5 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 2 Aug 2024 16:26:00 +0800
+Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64
+
+---
+ components/engine/profiles/seccomp/seccomp_default.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index 2c670623..a90e441c 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -482,7 +482,6 @@ func DefaultProfile() *types.Seccomp {
+ 		{
+ 			Names: []string{
+ 				"modify_ldt",
+-				"clone3",
+ 			},
+ 			Action: types.ActAllow,
+ 			Args:   []*types.Arg{},
+@@ -490,6 +489,16 @@ func DefaultProfile() *types.Seccomp {
+ 				Arches: []string{"amd64", "x32", "x86"},
+ 			},
+ 		},
+		{
+                        Names: []string{
+				"clone3",
+                        },
+                        Action: types.ActAllow,
+                        Args:   []*types.Arg{},
+                        Includes: types.Filter{
+                                Arches: []string{"arm64", "amd64", "x32", "x86"},
+                        },
+                },
+ 		{
+ 			Names: []string{
+ 				"s390_pci_mmio_read",
+-- 
+2.33.0
+
--- a/series.conf
+++ b/series.conf
@ -275,4 +275,5 @@ patch/0274-docker-fix-CVE-2024-29018.patch
 patch/0275-backport-fix-CVE-2024-32473.patch
 patch/0276-docker-Ignore-SIGURG-on-Linux.patch
 patch/0277-backport-fix-CVE-2024-41110.patch
+patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
 #end