seccomp: skip redundant rules #3109
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chenk008
reviewed
Jul 23, 2021
52ab214 to
eaaf614
Compare
This was referenced Jul 23, 2021
|
@opencontainers/runc-maintainers PTAL; this is a P0 as runc is rendered totally useless. |
AkihiroSuda
reviewed
Jul 24, 2021
cyphar
previously requested changes
Jul 27, 2021
There was a problem hiding this comment.
Please change the warning for unknown syscalls to a debug message. As for the rest of the patch, LGTM (though this seems like it's a bug in podman not in runc, but since the old behaviour is kind brittle and is not defined in the spec, I'm okay with working around it anyway).
Yes, it is (and it is being fixed). But there were also older bug reports with the same diagnostics (not sure how they
I think it is defined in spec (see the last paragraph in #1847 description ... and yes, we need a CI job to run those tools, I'll get around to it later). |
As of commit caca840 (Nov 12 2015) SCMP_ACT_TRACE is supported. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Rather than silently ignoring unknown syscalls, print a warning. While at it, fix imports ordering (stdlib, others, ours). [v2: demote Warn to Debug] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes using runc with podman on my system (Fedora 34).
> $ podman --runtime `pwd`/runc run --rm --memory 4M fedora echo it works
> Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied
The problem is, libseccomp returns EPERM when a redundant rule (i.e. the
rule with the same action as the default one) is added, and podman (on
my machine) sets the following rules in config.json:
<....>
"seccomp": {
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"bdflush",
"io_pgetevents",
<....>
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 1
},
<....>
(Note that defaultErrnoRet is not set, but it defaults to 1).
With this commit, it works:
> $ podman --runtime `pwd`/runc run --memory 4M fedora echo it works
> it works
Add an integration test (that fails without the fix).
Similar crun commit:
* containers/crun@08229f3fb904c5ea19a7d9
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
Probably needs a changelog entry too. |
Added |
mrunalp
approved these changes
Aug 4, 2021
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes using runc with podman on my system (Fedora 34).
The problem is, libseccomp returns EPERM when a redundant rule (i.e. the
rule with the same action as the default one) is added, and podman (on
my machine) sets the following rules in config.json:
(Note that defaultErrnoRet is not set, but it defaults to 1).
With this commit, it works:
Similar crun commit:
Fixes: #1847
See also: containers/podman#11031
Changelog entry
1.0 backport: #3129