TOMOYO and runc containers dislike one another.
Dr. Greg
greg at enjellic.com
Fri Nov 22 04:12:34 UTC 2024
On Fri, Nov 22, 2024 at 08:22:07AM +0900, Tetsuo Handa wrote:
> Hello.
Hi Tetsuo, I hope this note finds the week ending well for you.
> On 2024/11/22 3:42, Dr. Greg wrote:
> > Kernel version is 6.10 something.
> >
> > The path causing the issue is as follows:
> >
> > /dev/fd/7
> >
> > Here are the warning messages that runc spits out:
> >
> > FATA[0000] nsexec[1291]: could not ensure we are a cloned binary: No
> > such file or directory
> >
> > ERRO[0000] runc run failed: unable to start container process: waiting
> > for init preliminary setup: read init-p: connection reset by peer
> Please try applying commit ada1986d0797 ("tomoyo: fallback to realpath
> if symlink's pathname does not exist").
Yes, that did it, thanks for the pointer to the patch.
We now have multiple containers running, each with their own Tomoyo
implementation.... :-)
> Regards.
Have a good weekend.
As always,
Dr. Greg
The Quixote Project - Flailing at the Travails of Cybersecurity
https://github.com/Quixote-Project
More information about the Linux-security-module-archive
mailing list