seccomp: add support for flags #3390
Conversation
alban
force-pushed
the
alban_log
branch
2 times, most recently
from
3bc5b6d
to
006a4e3
Compare
libcontainer/specconv/spec_linux.go
Outdated
| switch flag { | ||
| case "SECCOMP_FILTER_FLAG_LOG": |
There was a problem hiding this comment.
It would be nice to not have this set of flags handled in two separate places. Perhaps we can add some common part to libcontainer/seccomp?
While at it, adding SCMP_FLTATR_CTL_OPTIMIZE would be awesome
There was a problem hiding this comment.
Right now we have four supported flags following the same naming convention supported by the SECCOMP_SET_MODE_FILTER operation.
SECCOMP_FILTER_FLAG_LOG
SECCOMP_FILTER_FLAG_NEW_LISTENER
SECCOMP_FILTER_FLAG_SPEC_ALLOW
SECCOMP_FILTER_FLAG_TSYNC
How would SCMP_FLTATR_CTL_OPTIMIZE map to that?
There was a problem hiding this comment.
While at it, adding
SCMP_FLTATR_CTL_OPTIMIZEwould be awesome
The set of flags listed in the runtime-spec is a subset of the flag supported by the Linux API in the seccomp syscall:
flags (array of strings, OPTIONAL) - list of flags to use with seccomp(2).
A valid list of constants is shown below.
SECCOMP_FILTER_FLAG_TSYNC
SECCOMP_FILTER_FLAG_LOG
SECCOMP_FILTER_FLAG_SPEC_ALLOW
SCMP_FLTATR_CTL_OPTIMIZE is part of libseccomp API but not part of the Linux API. It is not in the runtime-spec because container runtimes don't have to use libseccomp. Are you suggesting runc should support it even if it's not in the spec?
There was a problem hiding this comment.
It would be nice to not have this set of flags handled in two separate places. Perhaps we can add some common part to libcontainer/seccomp?
Now that I have added the 2 additional flags, the code looks different, and I don't see how to add some common part to libcontainer/seccomp... any suggestions?
There was a problem hiding this comment.
Re SCMP_FLTATR_CTL_OPTIMIZE.
Perhaps runc should just set it to 2 unconditionally. Also, this is orthogonal to this PR, so nevermind.
| newConfig := new(configs.Seccomp) | ||
| newConfig.Syscalls = []*configs.Syscall{} | ||
|
|
||
| // We don't currently support all seccomp flags. | ||
| for _, flag := range config.Flags { | ||
| switch flag { |
There was a problem hiding this comment.
Let's add support for SECCOMP_FILTER_FLAG_SPEC_ALLOW as well as SECCOMP_FILTER_FLAG_TSYNC
There was a problem hiding this comment.
SECCOMP_FILTER_FLAG_TSYNC is there already and it's on by default (in libseccomp-golang). How would it be supported? Do you mean "let's explicitly ignore it", as I see no other way.
crun supports seccomp filter flags since containers/crun@fefabff runc will get them with opencontainers/runc#3390 youki will get them with containers/youki#733 To support them generally, we now copy the flags during the seccomp setup, otherwise they will get lost. Signed-off-by: Sascha Grunert <[email protected]>
| // Add extra flags | ||
| for _, flag := range config.Flags { | ||
| switch flag { | ||
| case "SECCOMP_FILTER_FLAG_TSYNC": |
There was a problem hiding this comment.
Note: I think we should have them as consts in the runtime spec. I proposed that change in opencontainers/runtime-spec#1138
There was a problem hiding this comment.
Note that seccomp-golang sets this flag unconditionally, and we (runc/libcontainer/seccomp/patchbpf) do not set this at all (not sure if this was by design or just forgotten; @cyphar WDYT?)
From what I see, it seems that for runc it does not make sense to do so, as we execute runc init right after applying seccomp rules, and it does not matter much whether these rules were applied to all threads or not.
There was a problem hiding this comment.
There was an issue with setting it in patchbpf, I can't remember the exact details.
There was a problem hiding this comment.
SECCOMP_FILTER_FLAG_TSYNC is not a flag on the bpf instructions but a flag for the seccomp() syscall, so I don't think patchbpf can do something with it.
There was a problem hiding this comment.
TSYNC is set by libseccomp-golang by default, and there's no way to remove it. So adding it here does not make sense.
There was a problem hiding this comment.
Ah, OK, here we're ignoring it, which I guess is a good thing to do.
tests/integration/seccomp.bats
Outdated
| @test "runc run [seccomp] (SECCOMP_FILTER_FLAG_TSYNC)" { | ||
| update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] | ||
| | .process.noNewPrivileges = false | ||
| | .linux.seccomp = { | ||
| "defaultAction":"SCMP_ACT_ALLOW", | ||
| "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"], | ||
| "flags":["SECCOMP_FILTER_FLAG_TSYNC"], | ||
| "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}] | ||
| }' | ||
|
|
||
| # This test checks that the tsync flag is accepted | ||
| runc run test_busybox | ||
| [ "$status" -ne 0 ] | ||
| [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]] | ||
| } | ||
|
|
There was a problem hiding this comment.
I don't like the same code being repeated 3 times. Can probably factor it out to a function accepting the list of flags. That way we can also test a combination of flags, not just individual ones.
There was a problem hiding this comment.
Updated with a loop to test all set of flags possible
|
One other thing -- I don't think it makes any sense to expose |
|
Sorry I didn't follow up on this PR. As a side note, I noticed we will have a new flag soon: SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV |
alban
changed the title
|
I rebased, updated the PR description and commitmsg. I think it is ready for another review. |
|
It seems like all requested changes are implemented on this PR? Is there anything else that needs doing before this gets merged? |
|
It seems my last update in this PR reliably breaks |
|
The error is EINVAL from move_mount(2) syscall. It can be returned if the kernel is too old, but it seems that
There are other cases when the move mount set group can return EINVAL, but it does not seem likely. Ah! It might be caused by the fact that criu ppa comes with criu 3.17-1ppa2.20.04 which is old (should be 3.17.1). I just saw that @rst0git updated that package 3 hours ago. So, let me restart the CI. |
|
TestUsernsCheckpoint also fails on CentOS Stream 9, although with a different diagnostics (from https://cirrus-ci.com/task/5426803694108672?logs=unit_tests#L1368): |
|
@alban you also need to fix a linter warning |
|
We recently updated the criu package in CentOS Stream (#3532) |
Can't hit the merge button :( |
|
Again |
|
I don't have the rights to restart the Cirrus CI. I could force-push to run the CI again but I would lose the 2 approvals. Should I do that? However I don't think that would work: #3532 (comment) says the criu RPM should show up in the CentOS repositories after 1 week but https://gitlab.com/redhat/centos-stream/rpms/criu/-/merge_requests/12 was merged on July 12th, so almost 2 weeks ago and I ran a test of this runc branch on a fork today and it still fail with the same error. |
Signed-off-by: Alban Crequy <[email protected]>
List of seccomp flags defined in runtime-spec: * SECCOMP_FILTER_FLAG_TSYNC * SECCOMP_FILTER_FLAG_LOG * SECCOMP_FILTER_FLAG_SPEC_ALLOW Note that runc does not apply SECCOMP_FILTER_FLAG_TSYNC. It does not make sense to apply the seccomp filter on only one thread; other threads will be terminated after exec anyway. See similar commit in crun: containers/crun@fefabff Note that SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (introduced by https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=c2aa2dfef243 in Linux 5.19-rc1) is not added yet because Linux 5.19 is not released yet. Signed-off-by: Alban Crequy <[email protected]>
|
@rata updated! |
List of seccomp flags defined in runtime-spec:
Note that runc does not apply SECCOMP_FILTER_FLAG_TSYNC. It does not
make sense to apply the seccomp filter on only one thread; other threads
will be terminated after exec anyway.
See similar commit in crun:
containers/crun@fefabff
Note that SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (introduced by
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=c2aa2dfef243
in Linux 5.19-rc1) is not added yet because Linux 5.19 is not released
yet.
Tests:
cc @rata @saschagrunert