Skip to content

seccomp: skip redundant rules #3109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 4, 2021
Merged

seccomp: skip redundant rules #3109

merged 3 commits into from
Aug 4, 2021

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Jul 22, 2021
edited
Loading

This fixes using runc with podman on my system (Fedora 34).

$ podman --runtime $(pwd)/runc run --rm --memory 4M fedora echo it works
Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

The problem is, libseccomp returns EPERM when a redundant rule (i.e. the
rule with the same action as the default one) is added, and podman (on
my machine) sets the following rules in config.json:

    ....
    "seccomp": {
      "defaultAction": "SCMP_ACT_ERRNO",
      "architectures": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
      ],
      "syscalls": [
        {
          "names": [
            "bdflush",
            "io_pgetevents",
            ....
          ],
          "action": "SCMP_ACT_ERRNO",
          "errnoRet": 1
        },
        ....

(Note that defaultErrnoRet is not set, but it defaults to 1).

With this commit, it works:

$ podman --runtime $(pwd)/runc run --memory 4M fedora echo it works
it works

Similar crun commit:

Fixes: #1847
See also: containers/podman#11031

Changelog entry

Bugfixes:
* Redundant seccomp rules (i.e. those that has action equal to the default
  one) are now skipped. This fixes the inability to start a container with
  the "adding seccomp filter rule for syscall ..." error.

1.0 backport: #3129

@kolyshkin kolyshkin added kind/bug area/seccomp backport/1.0-pr A backport PR to release-1.0 labels Jul 22, 2021
@kolyshkin kolyshkin mentioned this pull request Jul 22, 2021
Closed
@kolyshkin kolyshkin mentioned this pull request Jul 22, 2021
Closed
chenk008
chenk008 reviewed Jul 23, 2021
View reviewed changes
@kolyshkin kolyshkin force-pushed the seccomp branch 2 times, most recently from 52ab214 to eaaf614 Compare July 23, 2021 19:39
This was referenced Jul 23, 2021
Closed
Closed
@kolyshkin
Copy link
Contributor Author

kolyshkin commented Jul 24, 2021

@opencontainers/runc-maintainers PTAL; this is a P0 as runc is rendered totally useless.

@kolyshkin kolyshkin requested review from a team, AkihiroSuda, cyphar and dqminh July 24, 2021 18:48
AkihiroSuda
AkihiroSuda reviewed Jul 24, 2021
View reviewed changes
cyphar
cyphar previously requested changes Jul 27, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change the warning for unknown syscalls to a debug message. As for the rest of the patch, LGTM (though this seems like it's a bug in podman not in runc, but since the old behaviour is kind brittle and is not defined in the spec, I'm okay with working around it anyway).

@kolyshkin
Copy link
Contributor Author

kolyshkin commented Jul 27, 2021

this seems like it's a bug in podman

Yes, it is (and it is being fixed).

But there were also older bug reports with the same diagnostics (not sure how they

since the old behaviour is kind brittle and is not defined in the spec

I think it is defined in spec (see the last paragraph in #1847 description ... and yes, we need a CI job to run those tools, I'll get around to it later).

kolyshkin added 3 commits July 27, 2021 00:04
@kolyshkin
libct/seccomp: ConvertStringToAction: fix doc
073e085 
As of commit caca840 (Nov 12 2015) SCMP_ACT_TRACE
is supported.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
libct/seccomp: warn about unknown syscalls
e44bee1 
Rather than silently ignoring unknown syscalls, print a warning.

While at it, fix imports ordering (stdlib, others, ours).

[v2: demote Warn to Debug]

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
libct/seccomp: skip redundant rules
5dd92fd 
This fixes using runc with podman on my system (Fedora 34).

> $ podman --runtime `pwd`/runc run --rm --memory 4M fedora echo it works
> Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

The problem is, libseccomp returns EPERM when a redundant rule (i.e. the
rule with the same action as the default one) is added, and podman (on
my machine) sets the following rules in config.json:

    <....>
    "seccomp": {
      "defaultAction": "SCMP_ACT_ERRNO",
      "architectures": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
      ],
      "syscalls": [
        {
          "names": [
            "bdflush",
            "io_pgetevents",
            <....>
          ],
          "action": "SCMP_ACT_ERRNO",
          "errnoRet": 1
        },
        <....>

(Note that defaultErrnoRet is not set, but it defaults to 1).

With this commit, it works:

> $ podman --runtime `pwd`/runc run --memory 4M fedora echo it works
> it works

Add an integration test (that fails without the fix).

Similar crun commit:
 * containers/crun@08229f3fb904c5ea19a7d9

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin requested review from AkihiroSuda and cyphar July 27, 2021 07:05
@kolyshkin kolyshkin added backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 and removed backport/1.0-pr A backport PR to release-1.0 labels Jul 28, 2021
cyphar
cyphar approved these changes Jul 29, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@cyphar
Copy link
Member

cyphar commented Jul 29, 2021

Probably needs a changelog entry too.

@kolyshkin
Copy link
Contributor Author

kolyshkin commented Jul 29, 2021

Probably needs a changelog entry too.

Added

@mrunalp mrunalp merged commit 8772c4d into opencontainers:master Aug 4, 2021
@kolyshkin kolyshkin mentioned this pull request Aug 4, 2021
Merged
@kolyshkin kolyshkin mentioned this pull request Aug 12, 2021
Closed
@kolyshkin kolyshkin added backport/1.0-done A PR in main branch which has been backported to release-1.0 and removed backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 labels Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp approved these changes

@cyphar cyphar cyphar approved these changes

@dqminh dqminh Awaiting requested review from dqminh

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda

+1 more reviewer

@chenk008 chenk008 chenk008 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/seccomp backport/1.0-done A PR in main branch which has been backported to release-1.0 impact/changelog kind/bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

seccomp rejects redundant rules with "requested action matches default action of filter"

5 participants

@kolyshkin @cyphar @mrunalp @chenk008 @AkihiroSuda