eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-02-04 04:56:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

DockerActionManager: use seccompProfile for borg instead of disabling seccomp completely

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2026-01-15 12:55:48 +01:00
parent 20d49c10e1
commit 80634361bb
1 changed files with 21 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

22
php/src/Docker/DockerActionManager.php
View file

@ -378,7 +378,27 @@ readonly class DockerActionManager {
if (str_starts_with($container->GetIdentifier(), 'nextcloud-aio-borgbackup')) {
// Disable seccomp policy if seccomp is enabled in the kernel to fix issues like https://github.com/nextcloud/all-in-one/issues/7308
if (!$this->configurationManager->isSeccompDisabled()) {
$requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp:unconfined"];
$seccompProfile = '{
\"defaultAction\": \"SCMP_ACT_ERRNO\",
\"defaultErrnoRet\": 38,
\"architectures\": [
\"SCMP_ARCH_X86_64\",
\"SCMP_ARCH_X86\",
\"SCMP_ARCH_X32\",
\"SCMP_ARCH_AARCH64\",
\"SCMP_ARCH_ARM\"
],
\"syscalls\": [
{
\"names\": [
\"fchmodat2\"
],
\"action\": \"SCMP_ACT_ERRNO\",
\"errnoRet\": 38
}
]
}';
$requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp=$seccompProfile"];
}
// Additional backup directories