invalid seccomp syscall 'io_uring_enter': unknown. #156
Comments
|
that is a libseccomp issue: seccomp/libseccomp#177 There is not a release yet that includes that syscalls, but the version from master works fine For Fedora, we are working on backporting these patches to libseccomp |
|
Can crun ignore seccomp entries for unknown syscalls? |
wouldn't that be a potential security issue if the syscall is blocked? And if we skip syscalls that are allowed, then the container can fail despite a correct configuration. Are you using a static build for crun? Perhaps we could build seccomp from git master there |
Closes: containers#156 Signed-off-by: Giuseppe Scrivano <[email protected]>
|
I've opened a PR for using seccomp from master: #158 |
|
I think it is better to ignore unknown syscalls, otherwise it requires exactly synchronised updates of seccomp policies and libseccomp versions which is a huge burden on users. Many distros will not update libseccomp for new syscalls for kernels they are not shipping, so then you cannot change your seccomp policy at all, which makes default seccomp policies very difficult to implement at all. Almost all changes are new syscalls for new kernels, so people are rarely relying on them and will have fallbacks. |
when a syscall that is not known to libseccomp is specified, ignore it instead of failing. It makes easier to use newer seccomp policies on systems using an older libseccomp. It is possible to keep the previous behavior using the "run.oci.seccomp_fail_unknown_syscall=1" annotation. Closes: containers#156 Signed-off-by: Giuseppe Scrivano <[email protected]>
when a syscall that is not known to libseccomp is specified, ignore it instead of failing. It makes easier to use newer seccomp policies on systems using an older libseccomp. It is possible to keep the previous behavior using the "run.oci.seccomp_fail_unknown_syscall=1" annotation. Closes: containers#156 Signed-off-by: Giuseppe Scrivano <[email protected]>
thanks for the explanation. That makes sense to me. I've added a patch to a PR I was already working on (just to avoid rebases) and I've switched the default to not fail when an unknown syscall is found in the seccomp profile: #211 |
when a syscall that is not known to libseccomp is specified, ignore it instead of failing. It makes easier to use newer seccomp policies on systems using an older libseccomp. It is possible to keep the previous behavior using the "run.oci.seccomp_fail_unknown_syscall=1" annotation. Closes: containers#156 Signed-off-by: Giuseppe Scrivano <[email protected]>
* Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet. * Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp ( containers/crun#156, seccomp/libseccomp#177 ) * Doesn't work with master runc yet * Resource limitations are unimplemented Signed-off-by: Akihiro Suda <[email protected]>
* Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet. * Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp ( containers/crun#156, seccomp/libseccomp#177 ) * Doesn't work with master runc yet * Resource limitations are unimplemented Signed-off-by: Akihiro Suda <[email protected]> Upstream-commit: 612343618dd7dad7cf023e6263d693ab37507a92 Component: engine
crun doesn't work with latest moby seccomp profile because crun doesn't support
io_uring_enter.moby/moby@f4d41f1
The text was updated successfully, but these errors were encountered: