-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
features: add support for potentiallyUnsafeConfigAnnotations #1444
features: add support for potentiallyUnsafeConfigAnnotations #1444
Conversation
23cd2e5
to
af9b6cc
Compare
src/libcrun/container.c
Outdated
"run.oci.handler", | ||
"run.oci.systemd.subgroup", | ||
"run.oci.mount_context_type", | ||
"run.oci.systemd.force_cgroup_v1", | ||
"run.oci.keep_original_groups", | ||
"run.oci.pidfd_receiver", | ||
"run.oci.hooks.stdout", | ||
"run.oci.hooks.stderr", | ||
"run.oci.seccomp.plugins", | ||
"run.oci.seccomp.receiver", | ||
"run.oci.seccomp_bpf_data", | ||
"run.oci.seccomp_fail_unknown_syscall", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is run.oci.*
a valid value?
If so, that would be better, as potentially any run.oci.*
annotation can change the behavior of the runtime
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not with the asterisk, but yeah I can do a generic one
1d6e4fb
to
2c275c4
Compare
could you run |
src/libcrun/linux.c
Outdated
@@ -3093,7 +3093,7 @@ libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_er | |||
return 0; | |||
} | |||
|
|||
#define CAP_TO_MASK_0(x) (1L << ((x) & 31)) | |||
#define CAP_TO_MASK_0(x) (1L << ((x) &31)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems unrelated to the patchset
list generated by finding all instances of `find_annotation` Signed-off-by: Peter Hunt <pehunt@redhat.com>
2c275c4
to
475a3fd
Compare
the failure doesn't depend on this patch, so I am merging anyway |
list generated by finding all instances of
find_annotation
(note to reviewer: I don't know if they're all unsafe and I probably will end up omitting some, per your request)