seccomp: allow syscall membarrier #40731
Conversation
Julio-Guerra
force-pushed
the
fix/seccomp-profile
branch
from
dc3c37c to
e62efce
Compare
|
This issue does not lead to memory incoherence. musl supports kernels far older than the membarrier syscall, and implements a costly fallback if the syscall fails. However it's perferable to allow the syscall so that the fallback isn't needed. |
FYI, we ran a lot of tests on AWS codebuild because they fail almost all the time and rarely succeed. But as soon as we add membarrier to seccomp profile json file, we no longer have the issue at all. |
|
|
What are the tests that fail doing/trying to assert? I think you'll find it's something unrelated to the use of membarrier in dlopen, but I'd be interested in hearing if not. The use in dlopen is really a virtual nop - the ordering properties it's ensuring are automatically satisfied on any architecture with "consume" type semantics, which is pretty much every architecture ever made except DEC Alpha. If something is going wrong related to dlopen, the mechanism of breakage is likely something different - maybe a problem stemming from other syscalls being blocked? |
AkihiroSuda
added
area/security/seccomp
kind/enhancement
|
had a quick chat with @justincormack, and he thought the change to the seccomp profile should be ok |
|
Changes look good; could you squash the two commits into one? Let me know if you need help with that |
Add the membarrier syscall to the default seccomp profile. It is for example used in the implementation of dlopen() in the musl libc of Alpine images. Signed-off-by: Julio Guerra <[email protected]>
Julio-Guerra
force-pushed
the
fix/seccomp-profile
branch
from
5f5a966 to
1026f87
Compare
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM (assuming CI passes), thanks!
thaJeztah
added
status/2-code-review
impact/changelog
and removed
status/1-design-review
labels
|
@AkihiroSuda PTAL |
|
That should close this issue, but I believe there may be another problem behind this, in the form of undersized stack that caused the crash when signal-based fallback was used. That should be checked out too, since an undersized stack could come back as crashes elsewhere later. |
4 participants
- What I did
Allow syscall
membarrierin the default seccomp profile in order to fix memory coherency issues leading to segfault errors on Alpine containers. It was firstly noticed with AWS EC2 instances running the docker imagenode:10-alpineand failing almost all the time.We could also reproduce it locally when slowing down the node process with ltrace.
The musl libc uses indeed the syscall in its implementation of
dlopen(), leading to memory incoherence when used concurrently, which is the case with node's libuv.- How I did it
Add membarrier to the list of allowed syscalls.
- How to verify it
Write a test using membarrier.
- Description for the changelog
seccomp: allow syscall membarrier