Tianon is right, runc silently discards syscalls it doesn't know about: https://github.com/opencontainers/runc/blob/ecd55a4135e0a26de884ce436442914f945b1e76/libcontainer/seccomp/seccomp_linux.go#L168-L173
This affects other syscalls, like preadv2: https://github.com/opencontainers/runtime-spec/issues/972 Failing to whitelist a syscall than the kernel does support is safe, but failing to *blacklist* a syscall could be more problematic. But failing to whitelist could also impact functionality/performance compared to a non-containerized application. I couldn't find if anything is backported in "2.3.1-2.1ubuntu4", but the upstream "2.3.1" limits us to syscalls up to Linux 4.5-rc4. Summoning Christian to help in bumping the priority of this issue. ** Bug watch added: github.com/opencontainers/runtime-spec/issues #972 https://github.com/opencontainers/runtime-spec/issues/972 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
