Fam Zheng <f...@redhat.com> writes: > Some by default blocked syscalls are required to run tests for example > userfaultfd.
Is there any way the tests could DoS the host? I guess you could achieve the same running the iotests directly from make but it does seem we should confine the docker guest as much as possible. > > Signed-off-by: Fam Zheng <f...@redhat.com> > --- > tests/docker/Makefile.include | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include > index 0ed8c3d..09d157c 100644 > --- a/tests/docker/Makefile.include > +++ b/tests/docker/Makefile.include > @@ -127,6 +127,7 @@ docker-run: docker-qemu-src > $(call quiet-command, \ > $(SRC_PATH)/tests/docker/docker.py run \ > $(if $(NOUSER),,-u $(shell id -u)) -t \ > + --security-opt seccomp=unconfined \ > $(if $V,,--rm) \ > $(if $(DEBUG),-i,--net=none) \ > -e TARGET_LIST=$(TARGET_LIST) \ -- Alex Bennée
