Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "seccomp: block socket calls to AF_VSOCK in default profile"
This reverts commit 57b2290. This change, while favorable from a security standpoint, caused a regression for users of the 20.10 branch of Moby. As such, we are reverting it to ensure stability and compatibility for the affected users. However, users of AF_VSOCK in containers should recognize that this (special) address family is not currently namespaced in any version of the Linux kernel, and may result in unexpected behavior, like VMs communicating directly with host hypervisors. Future branches, including the 23.0 branch, will continue to filter AF_VSOCK. Users who need to allow containers to communicate over the unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a custom seccomp profile. It is our hope that future mechanisms will make this more ergonomic/maintainable for end users, and that future kernels will support namespacing of AF_VSOCK. Closes #44670. Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
- Loading branch information