Add openat2 and faccessat2 to default seccomp profile. #41353

tao12345666333 · 2020-08-14T07:08:25Z

Note: openat2() first appeared in Linux 5.6. And Glibc does not provide a wrapper for this system call; call it using
syscall(2).

ref: https://man7.org/linux/man-pages/man2/openat2.2.html

thaJeztah · 2020-08-14T10:40:33Z

Oh, you need to edit or re-generate the JSON variant of the profile as well;


[2020-08-14T07:09:16.081Z] The result of go generate ./profiles/seccomp/ differs
[2020-08-14T07:09:16.081Z] 
[2020-08-14T07:09:16.081Z]  M profiles/seccomp/default.json
[2020-08-14T07:09:16.081Z] 
[2020-08-14T07:09:16.081Z] Please re-run go generate ./profiles/seccomp/

After this is merged, could you also open a pull request in containerd to update the profile to match? https://github.com/containerd/containerd/tree/master/contrib/seccomp

thaJeztah · 2020-08-14T10:42:17Z

I wonder if libseccomp needs an update for this; I see only a single occurence of openat2 https://github.com/seccomp/libseccomp/search?q=openat2&unscoped_q=openat2

but many occurrences of openat https://github.com/seccomp/libseccomp/search?q=openat&unscoped_q=openat

tao12345666333 · 2020-08-14T10:54:30Z

Thanks, let me take a look.

follow up to moby#41344 (comment) Signed-off-by: Jintao Zhang <[email protected]>

tao12345666333 · 2020-08-16T08:23:27Z

I wonder if libseccomp needs an update for this; I see only a single occurence of openat2 https://github.com/seccomp/libseccomp/search?q=openat2&unscoped_q=openat2

@thaJeztah it seems like libseccomp has been updated (release/2.4) seccomp/libseccomp@b3206ad

tao12345666333 · 2020-08-16T08:31:30Z

After this is merged, could you also open a pull request in containerd to update the profile to match?

Opened PR containerd/containerd#4481

thaJeztah · 2020-08-17T08:53:35Z

it seems like libseccomp has been updated (release/2.4) seccomp/libseccomp@b3206ad

Ah; yes, I see they switched to a different approach for "master" and the 2.5 branch, and now use a csv; seccomp/libseccomp@f5b3166

Master (and 2.5 branch) already had the openat2 syscall (in the above commit) and later updated to kernel 5.8.x in seccomp/libseccomp@5696c89#diff-afab4e57b1c976404582fcde2763f6b6L236

thaJeztah · 2020-08-17T08:54:24Z

Looking at that last link; should we add faccessat2 as well? I see that was newly added, and l see faccessat is in our current profile?

tao12345666333 · 2020-08-17T13:11:30Z

Yes, I missed it.
Thanks. Let me add it.

Signed-off-by: Jintao Zhang <[email protected]>

thaJeztah

LGTM

thaJeztah · 2020-08-17T14:26:32Z

Hmmm

All nodes of label ‘ppc64le-ubuntu-1604’ are offline

thaJeztah · 2020-08-17T15:24:06Z

Ignoring the ppc64le stage, which is unrelated

Since glibc 2.33, the faccessat() function tries the faccessat2 system call first and falls back to the faccessat system call on older kernels [1]. However, the seccomp profile provided by old Docker engines does not allow faccessat2 (fixed by [2][3]). As a result, the faccessat2 system call returns EPERM, and glibc returns an error in this case. Using a patched glibc to workaround this issue. Note that the aforementioned glibc commit does not mean that glibc 2.33 building on new kernels does not work with old kernels. Instead, the __LINUX_KERNEL_VERSION macro is 0 by default to achieve best-effort compatibility with various kernel versions. [1] https://sourceware.org/git/?p=glibc.git;a=patch;h=3d3ab573a5f3071992cbc4f57d50d1d29d55bde2 [2] moby/moby#41353 [3] moby/moby#41381

Fixes moby#41704 The latest released versions of the static binaries (20.10.3) are still unable to use faccessat2 with musl-1.2.2 even though this was addressed in moby#41353 and related issues. The underlying cause seems to be that the build system here still uses the default version of libseccomp shipped with buster. An updated version is available in buster backports: https://packages.debian.org/buster-backports/libseccomp-dev Signed-off-by: Jeremy Huntwork <[email protected]>

Fixes moby#41704 The latest released versions of the static binaries (20.10.3) are still unable to use faccessat2 with musl-1.2.2 even though this was addressed in moby#41353 and related issues. The underlying cause seems to be that the build system here still uses the default version of libseccomp shipped with buster. An updated version is available in buster backports: https://packages.debian.org/buster-backports/libseccomp-dev Signed-off-by: Jeremy Huntwork <[email protected]> (cherry picked from commit 1600e85) Signed-off-by: Sebastiaan van Stijn <[email protected]>

Since glibc 2.33, the faccessat() function tries the faccessat2 system call first and falls back to the faccessat system call on older kernels [1]. However, the seccomp profile provided by old Docker engines does not allow faccessat2 (fixed by [2][3]). As a result, the faccessat2 system call returns EPERM, and glibc returns an error in this case. Using a patched glibc to workaround this issue. Note that the aforementioned glibc commit does not mean that glibc 2.33 building on new kernels does not work with old kernels. Instead, the __LINUX_KERNEL_VERSION macro is 0 by default to achieve best-effort compatibility with various kernel versions. [1] https://sourceware.org/git/?p=glibc.git;a=patch;h=3d3ab573a5f3071992cbc4f57d50d1d29d55bde2 [2] moby/moby#41353 [3] moby/moby#41381

Fixes moby#41704 The latest released versions of the static binaries (20.10.3) are still unable to use faccessat2 with musl-1.2.2 even though this was addressed in moby#41353 and related issues. The underlying cause seems to be that the build system here still uses the default version of libseccomp shipped with buster. An updated version is available in buster backports: https://packages.debian.org/buster-backports/libseccomp-dev Signed-off-by: Jeremy Huntwork <[email protected]> (cherry picked from commit 1600e85) Signed-off-by: Sebastiaan van Stijn <[email protected]>

tao12345666333 mentioned this pull request Aug 14, 2020

vendor runc rc92 #41344

Merged

AkihiroSuda approved these changes Aug 14, 2020

View reviewed changes

AkihiroSuda added area/security/seccomp process/cherry-pick labels Aug 14, 2020

Add openat2 to default seccomp profile.

b8988c8

follow up to moby#41344 (comment) Signed-off-by: Jintao Zhang <[email protected]>

tao12345666333 force-pushed the add-openat2-to-seccomp-profile branch from 1c9bad2 to b8988c8 Compare August 16, 2020 08:00

thaJeztah mentioned this pull request Aug 17, 2020

seccomp: add openat2 and faccessat2 syscall. containerd/containerd#4481

Merged

Add faccessat2 to default seccomp profile.

a181391

Signed-off-by: Jintao Zhang <[email protected]>

AkihiroSuda approved these changes Aug 17, 2020

View reviewed changes

thaJeztah changed the title ~~Add openat2 to default seccomp profile.~~ Add openat2 and faccessat2 to default seccomp profile. Aug 17, 2020

thaJeztah approved these changes Aug 17, 2020

View reviewed changes

justincormack approved these changes Aug 17, 2020

View reviewed changes

thaJeztah added the status/4-merge label Aug 17, 2020

thaJeztah merged commit 868578e into moby:master Aug 17, 2020

thaJeztah added this to the 20.03.0 milestone Aug 17, 2020

tao12345666333 deleted the add-openat2-to-seccomp-profile branch August 17, 2020 15:35

thaJeztah added the impact/changelog label Aug 24, 2020

thaJeztah mentioned this pull request Aug 24, 2020

[19.03 backport] seccomp profile updates #41381

Closed

thaJeztah added process/cherry-picked and removed process/cherry-pick labels Aug 24, 2020

achimnol mentioned this pull request Feb 24, 2021

Update seccomp profiles lablup/backend.ai-jail#10

Open

thaJeztah mentioned this pull request Mar 15, 2021

[20.10 backport] Use buster backports to build with libseccomp-2.4.4 #42147

Merged

This was referenced Apr 26, 2021

Creating a sysbox container with systemd >= 247.2 may fail nestybox/sysbox#273

Closed

Adding new syscalls to seccomp profile to resolve compatibility issues nestybox/sysbox-runc#35

Closed

stanhu mentioned this pull request Jul 9, 2021

Alpine 3.14 images can fail on Docker versions older than 20.10 docker-library/ruby#351

Closed

thaJeztah mentioned this pull request Aug 10, 2021

7.4.21-fpm-alpine3.14 missing linux/ppc64le and linux/s390x docker-library/php#1178

Closed

ElijahLynn mentioned this pull request Aug 23, 2021

CI Base Image failing with E: Sub-process /usr/bin/dpkg returned an error code (1) department-of-veterans-affairs/va.gov-cms#6216

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add openat2 and faccessat2 to default seccomp profile. #41353

Add openat2 and faccessat2 to default seccomp profile. #41353

Uh oh!

tao12345666333 commented Aug 14, 2020

Uh oh!

thaJeztah commented Aug 14, 2020

Uh oh!

thaJeztah commented Aug 14, 2020

Uh oh!

tao12345666333 commented Aug 14, 2020

Uh oh!

tao12345666333 commented Aug 16, 2020

Uh oh!

tao12345666333 commented Aug 16, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

tao12345666333 commented Aug 17, 2020

Uh oh!

thaJeztah left a comment

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Add openat2 and faccessat2 to default seccomp profile. #41353

Add openat2 and faccessat2 to default seccomp profile. #41353

Uh oh!

Conversation

tao12345666333 commented Aug 14, 2020

Uh oh!

thaJeztah commented Aug 14, 2020

Uh oh!

thaJeztah commented Aug 14, 2020

Uh oh!

tao12345666333 commented Aug 14, 2020

Uh oh!

tao12345666333 commented Aug 16, 2020

Uh oh!

tao12345666333 commented Aug 16, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

tao12345666333 commented Aug 17, 2020

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

thaJeztah commented Aug 17, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants