WIP

DockerActionManager: use seccompProfile for borg instead of disabling seccomp completely
Signed-off-by: Simon L. <szaimen@e.mail.de>
2026-05-21 10:50:10 +00:00 · 2026-01-15 13:07:40 +01:00 · 2026-01-15 12:55:48 +01:00
1 changed files with 21 additions and 1 deletions
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -378,7 +378,27 @@ readonly class DockerActionManager {
        if (str_starts_with($container->GetIdentifier(), 'nextcloud-aio-borgbackup')) {
            // Disable seccomp policy if seccomp is enabled in the kernel to fix issues like https://github.com/nextcloud/all-in-one/issues/7308
            if (!$this->configurationManager->isSeccompDisabled()) {
-                $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp:unconfined"];
+                $seccompProfile = '{
+                                    "defaultAction": "SCMP_ACT_ERRNO",
+                                    "defaultErrnoRet": 38,
+                                    "architectures": [
+                                        "SCMP_ARCH_X86_64",
+                                        "SCMP_ARCH_X86",
+                                        "SCMP_ARCH_X32",
+                                        "SCMP_ARCH_AARCH64",
+                                        "SCMP_ARCH_ARM"
+                                    ],
+                                    "syscalls": [
+                                        {
+                                        "names": [
+                                            "fchmodat2"
+                                        ],
+                                        "action": "SCMP_ACT_ERRNO",
+                                        "errnoRet": 38
+                                        }
+                                    ]
+                                  }';
+                $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable", "seccomp=$seccompProfile"];
            }

            // Additional backup directories
Author	SHA1	Message	Date
Simon L.	bd56b43da5	WIP	2026-01-15 13:07:40 +01:00
Simon L.	80634361bb	DockerActionManager: use seccompProfile for borg instead of disabling seccomp completely Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-01-15 12:55:48 +01:00