Sylabs and Cray cooperate to secure Singularity on CLE5

By Staff

May 4, 2018 | Blog

The Sylabs team has an exciting update regarding the recent PR_SET_NO_NEW_PRIVS security issue.

In collaboration with Cray, it has been discovered that the PR_SET_NO_NEW_PRIVS prctl() option is properly supported within the SLES11SP3 and CLE5 kernel. The reason it has been unsupported within Singularity (and other containers) is because the necessary user space dependencies are non-existent. This is good news, because we can directly declare these requirements within Singularity and properly use them within the kernel!

This modification has been added into the release-2.5 branch of Singularity in GitHub and it will be part of the next released version. If you need a supported version of Singularity that includes this feature and can securely support SLES11 and Cray’s CLE5 ASAP please contact Sylabs directly.

The fact remains that it is unsafe to run containers on host kernels that do not support PR_SET_NO_NEW_PRIVS but at least the problem set just shrunk! Great news for a Friday, and on that note, have a great weekend everyone!

Join Our Mailing List

Related Posts

QA and Stability in Singularity

There are many different approaches that can be taken when building software. At one end of the spectrum is the extreme caution and conservatism that’s appropriate, for example, of safety critical code used in vehicles or in real-time operating systems. At the other...

read more

Improve Security in your CI/CD Workflows

In the development world, continuous integration is where members of a team integrate all their work frequently, for example, think of a team all working on the same code base, they are fixing bugs, implementing new features, so to prevent conflicts, all the code is...

read more