Thread (9 messages) 9 messages, 6 authors, 2020-11-24

Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround

From: Greg KH <gregkh@linuxfoundation.org>
Date: 2020-11-24 17:16:02
Also in: linux-doc, lkml

On Tue, Nov 24, 2020 at 06:06:38PM +0100, Jann Horn wrote:
+seccomp maintainers/reviewers
[thread context is at
https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/ (local)
]

On Tue, Nov 24, 2020 at 5:49 PM Christoph Hellwig [off-list ref] wrote:
quoted
On Tue, Nov 24, 2020 at 03:08:05PM +0100, Mark Wielaard wrote:
quoted
For valgrind the issue is statx which we try to use before falling back
to stat64, fstatat or stat (depending on architecture, not all define
all of these). The problem with these fallbacks is that under some
containers (libseccomp versions) they might return EPERM instead of
ENOSYS. This causes really obscure errors that are really hard to
diagnose.
So find a way to detect these completely broken container run times
and refuse to run under them at all.  After all they've decided to
deliberately break the syscall ABI.  (and yes, we gave the the rope
to do that with seccomp :().
FWIW, if the consensus is that seccomp filters that return -EPERM by
default are categorically wrong, I think it should be fairly easy to
add a check to the seccomp core that detects whether the installed
filter returns EPERM for some fixed unused syscall number and, if so,
prints a warning to dmesg or something along those lines...
Why?  seccomp is saying "this syscall is not permitted", so -EPERM seems
like the correct error to provide here.  It's not -ENOSYS as the syscall
is present.

As everyone knows, there are other ways to have -EPERM be returned from
a syscall if you don't have the correct permissions to do something.
Why is seccomp being singled out here?  It's doing the correct thing.

thanks,

greg k-h
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help