Expected behavior
pidfd_send_signal and pidfd_open syscalls being allowed.
Actual behavior
pidfd_open: Operation not permitted and/or pidfd_send_signal: Operation not permitted
Steps to reproduce the behavior
- Compile this using
gcc -s -static reproduce.c -o reproduce:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <signal.h>
#include <syscall.h>
#include <unistd.h>
#if !defined(SYS_pidfd_open) && defined(__x86_64__) // just to be sure.
# define SYS_pidfd_open 434
#endif
static int w_pidfd_open(pid_t pid, unsigned int flags) {
return syscall(SYS_pidfd_open, pid, flags);
}
static int w_pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags) {
return syscall(SYS_pidfd_send_signal, pidfd, sig, info, flags);
}
int main(int argc, char **argv) {
pid_t pid = fork();
if (pid == -1) {
perror("fork");
return 1;
} else if (pid == 0) {
sleep(15);
_exit(0);
}
int pidfd = w_pidfd_open(pid, 0);
if (pidfd == -1) {
perror("pidfd_open");
goto err;
} else {
fprintf(stderr, "pidfd_open success\n");
}
if (w_pidfd_send_signal(pidfd, SIGTERM, NULL, 0) == -1) {
perror("pidfd_send_signal");
goto err;
}
close(pidfd);
return 0;
err:
kill(pid, SIGTERM);
return 1;
}
- Run it inside Docker (using
docker run --rm -ti -v $(realpath -- ./reproduce):/reproduce:ro busybox:latest /reproduce for example)
- See
pidfd_open: Operation not permitted and/or pidfd_send_signal: Operation not permitted
Output of docker version:
Client:
Version: 19.03.13-ce
API version: 1.40
Go version: go1.15.2
Git commit: 4484c46d9d
Built: Sat Sep 26 12:04:46 2020
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 19.03.13-ce
API version: 1.40 (minimum version 1.12)
Go version: go1.15.2
Git commit: 4484c46d9d
Built: Sat Sep 26 12:03:35 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.1.m
GitCommit: c623d1b36f09f8ef6536a057bd658b3aa8632828.m
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 7
Running: 1
Paused: 0
Stopped: 6
Images: 47
Server Version: 19.03.13-ce
Storage Driver: btrfs
Build Version: Btrfs v5.7
Library Version: 102
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c623d1b36f09f8ef6536a057bd658b3aa8632828.m
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.7.19-2-mbp
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 15.53GiB
Name: meeksorkim
ID: 2VNO:XB4B:VPPP:O4YY:N43H:FKZ4:6DVI:XDMC:B5CD:AI2I:3GFD:QDUX
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.)
Arch Linux running Docker.
Expected behavior
pidfd_send_signalandpidfd_opensyscalls being allowed.Actual behavior
pidfd_open: Operation not permittedand/orpidfd_send_signal: Operation not permittedSteps to reproduce the behavior
gcc -s -static reproduce.c -o reproduce:docker run --rm -ti -v $(realpath -- ./reproduce):/reproduce:ro busybox:latest /reproducefor example)pidfd_open: Operation not permittedand/orpidfd_send_signal: Operation not permittedOutput of
docker version:Output of
docker info:Additional environment details (AWS, VirtualBox, physical, etc.)
Arch Linux running Docker.