Re: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround
From: Greg KH <gregkh@linuxfoundation.org>
Date: 2020-11-24 17:16:02
Also in:
linux-doc, lkml
On Tue, Nov 24, 2020 at 06:06:38PM +0100, Jann Horn wrote:
+seccomp maintainers/reviewers [thread context is at https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/ (local) ] On Tue, Nov 24, 2020 at 5:49 PM Christoph Hellwig [off-list ref] wrote:quoted
On Tue, Nov 24, 2020 at 03:08:05PM +0100, Mark Wielaard wrote:quoted
For valgrind the issue is statx which we try to use before falling back to stat64, fstatat or stat (depending on architecture, not all define all of these). The problem with these fallbacks is that under some containers (libseccomp versions) they might return EPERM instead of ENOSYS. This causes really obscure errors that are really hard to diagnose.So find a way to detect these completely broken container run times and refuse to run under them at all. After all they've decided to deliberately break the syscall ABI. (and yes, we gave the the rope to do that with seccomp :().FWIW, if the consensus is that seccomp filters that return -EPERM by default are categorically wrong, I think it should be fairly easy to add a check to the seccomp core that detects whether the installed filter returns EPERM for some fixed unused syscall number and, if so, prints a warning to dmesg or something along those lines...
Why? seccomp is saying "this syscall is not permitted", so -EPERM seems like the correct error to provide here. It's not -ENOSYS as the syscall is present. As everyone knows, there are other ways to have -EPERM be returned from a syscall if you don't have the correct permissions to do something. Why is seccomp being singled out here? It's doing the correct thing. thanks, greg k-h