seccomp: add support for "swapcontext" syscall in default policy#43092
seccomp: add support for "swapcontext" syscall in default policy#43092thaJeztah merged 1 commit intomoby:masterfrom nmeum:swapcontext-syscall
Conversation
This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <[email protected]>
thaJeztah
added
the
status/failing-ci
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM, thanks for updating 👍
but let me ping @justincormack @AkihiroSuda for a review as well
| "names": [ | ||
| "sync_file_range2" | ||
| "sync_file_range2", | ||
| "swapcontext" |
There was a problem hiding this comment.
Just an observation (and for other reviewers); this adds the syscall conditionally for ppc64le only; the default profile currently doesn't have ppc (32-bit ppc), so it won't be available on those architectures.
I don't think we need to take 32-bit ppc into account, as we don't test/support that architecture, and it's a pretty niche use (I think there's some people doing their own custom builds of dockerd for 32-bit ppc, but not sure)
|
@nmeum I should mention that the containerd project is also maintaining a seccomp profile that likely should be updated with the same changes as well; https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go#L466-L473 |
thaJeztah
added
status/4-merge
and removed
area/security/seccomp
status/failing-ci
|
test failures are unrelated; let me bring this one in |
Great, thanks!
Should I send a PR for containerd too? |
If you're interested in contributing there, yes, feel free to! We try to keep the projects a bit in sync, so that users get the same experience if they use either containerd or dockerd (I'm happy to open a PR myself as well if you don't have time for that) ❤️ |
|
I created containerd/containerd#6411 to get this syscall whitelisted in containerd as well 🤗 |
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
swapcontext seems to be used for coroutines in some languages (at least ruby), enough to have been added to other major engines by an actual user. Link: moby/moby#43092 Link: systemd/systemd#9487 Link: containerd/containerd#6411
swapcontext seems to be used for coroutines in some languages (at least ruby), enough to have been added to other major engines by an actual user. Link: moby/moby#43092 Link: systemd/systemd#9487 Link: containerd/containerd#6411 Signed-off-by: Dominique Martinet <[email protected]>
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
3 participants
- What I did
- How I did it
The swapcontext system call is only available on the 32- and 64-bit PowerPC architecture, it is
used by modern programming language implementations (such as gcc-go) to
implement coroutine features through userspace context switches.
Other container environment, such as Systemd nspawn already whitelist
this system call in their seccomp profile [1] [2]. As such, it would be
nice to also whitelist it in moby.
Issues with the current default seccomp profile were encountered on Alpine Linux's GitLab CI system, which uses
docker, when attempting to execute software compiled with gcc-go and libucontext on ppc64le.
- How to verify it
Try running a program using
setcontext(3)on ppc64 in a docker container environment, see systemd nspawn for example code.- Description for the changelog
Whitelist the PPC
swapcontextsystem call in the default seccomp profile.