libct/seccomp: skip redundant rules

This fixes using runc with podman on my system (Fedora 34). > $ podman --runtime `pwd`/runc run --rm --memory 4M fedora echo it works > Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied The problem is, libseccomp returns EPERM when a redundant rule (i.e. the rule with the same action as the default one) is added, and podman (on my machine) sets the following rules in config.json: <....> "seccomp": { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "names": [ "bdflush", "io_pgetevents", <....> ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, <....> (Note that defaultErrnoRet is not set, but it defaults to 1). With this commit, it works: > $ podman --runtime `pwd`/runc run --memory 4M fedora echo it works > it works Similar crun commit: * containers/crun@08229f3fb904c5ea19a7d9 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Jul 22, 2021 · 11e4df3 · 11e4df3
1 parent d760a90
commit 11e4df3
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -67,7 +67,7 @@ func InitSeccomp(config *configs.Seccomp) error {
 		if call == nil {
 			return errors.New("encountered nil syscall while initializing Seccomp")
 		}
-		if err := matchCall(filter, call); err != nil {
+		if err := matchCall(filter, call, defaultAction); err != nil {
 			return err
 		}
 	}
@@ -142,7 +142,7 @@ func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
 }
 
 // Add a rule to match a single syscall
-func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
+func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall, defAct libseccomp.ScmpAction) error {
 	if call == nil || filter == nil {
 		return errors.New("cannot use nil as syscall to block")
 	}
@@ -151,17 +151,20 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
 		return errors.New("empty string is not a valid syscall")
 	}
 
-	// If we can't resolve the syscall, assume it's not supported on this kernel
-	// Ignore it, don't error out
-	callNum, err := libseccomp.GetSyscallFromName(call.Name)
+	// Convert the call's action to the libseccomp equivalent
+	callAct, err := getAction(call.Action, call.ErrnoRet)
 	if err != nil {
+		return fmt.Errorf("action in seccomp profile is invalid: %w", err)
+	}
+	if callAct == defAct {
 		return nil
 	}
 
-	// Convert the call's action to the libseccomp equivalent
-	callAct, err := getAction(call.Action, call.ErrnoRet)
+	// If we can't resolve the syscall, assume it's not supported on this kernel
+	// Ignore it, don't error out
+	callNum, err := libseccomp.GetSyscallFromName(call.Name)
 	if err != nil {
-		return fmt.Errorf("action in seccomp profile is invalid: %w", err)
+		return nil
 	}
 
 	// Unconditional match - just add the rule