From 80634361bba92e5732c109a1277332df2e1d524f Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 15 Jan 2026 12:55:48 +0100 Subject: [PATCH 1/2] DockerActionManager: use seccompProfile for borg instead of disabling seccomp completely Signed-off-by: Simon L. --- php/src/Docker/DockerActionManager.php | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 67134576..92880956 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -378,7 +378,27 @@ readonly class DockerActionManager { if (str_starts_with($container->GetIdentifier(), 'nextcloud-aio-borgbackup')) { // Disable seccomp policy if seccomp is enabled in the kernel to fix issues like https://github.com/nextcloud/all-in-one/issues/7308 if (!$this->configurationManager->isSeccompDisabled()) { - $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp:unconfined"]; + $seccompProfile = '{ + \"defaultAction\": \"SCMP_ACT_ERRNO\", + \"defaultErrnoRet\": 38, + \"architectures\": [ + \"SCMP_ARCH_X86_64\", + \"SCMP_ARCH_X86\", + \"SCMP_ARCH_X32\", + \"SCMP_ARCH_AARCH64\", + \"SCMP_ARCH_ARM\" + ], + \"syscalls\": [ + { + \"names\": [ + \"fchmodat2\" + ], + \"action\": \"SCMP_ACT_ERRNO\", + \"errnoRet\": 38 + } + ] + }'; + $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp=$seccompProfile"]; } // Additional backup directories From bd56b43da5ad97d7f3b6f7768cacf06f04623e07 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 15 Jan 2026 13:07:40 +0100 Subject: [PATCH 2/2] WIP --- php/src/Docker/DockerActionManager.php | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 92880956..c77b4a43 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -379,22 +379,22 @@ readonly class DockerActionManager { // Disable seccomp policy if seccomp is enabled in the kernel to fix issues like https://github.com/nextcloud/all-in-one/issues/7308 if (!$this->configurationManager->isSeccompDisabled()) { $seccompProfile = '{ - \"defaultAction\": \"SCMP_ACT_ERRNO\", - \"defaultErrnoRet\": 38, - \"architectures\": [ - \"SCMP_ARCH_X86_64\", - \"SCMP_ARCH_X86\", - \"SCMP_ARCH_X32\", - \"SCMP_ARCH_AARCH64\", - \"SCMP_ARCH_ARM\" + "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, + "architectures": [ + "SCMP_ARCH_X86_64", + "SCMP_ARCH_X86", + "SCMP_ARCH_X32", + "SCMP_ARCH_AARCH64", + "SCMP_ARCH_ARM" ], - \"syscalls\": [ + "syscalls": [ { - \"names\": [ - \"fchmodat2\" + "names": [ + "fchmodat2" ], - \"action\": \"SCMP_ACT_ERRNO\", - \"errnoRet\": 38 + "action": "SCMP_ACT_ERRNO", + "errnoRet": 38 } ] }';