-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runc incompatibility: crun hangs when sendmsg
is in the SCMP_ACT_NOTIFY
list
#1002
Comments
Possible solution (similar to runc's implementation):
The drawbacks are complexity and dependency on kernel >= 5.6. |
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
thanks for the report: I've opened a PR: #1004 |
it uses a helper process that shares the fd table so it doesn't need |
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Sep 5, 2022
use a helper process to send the listener fd to the child process, in this way the sendmssg syscall happens from an environment that is not seccomp filtered. The helper process shares the fd table with the main process, so there is no need to send the fd around, and no syscalls are invoked between the seccomp filter setup and the sendmssg, so that all syscalls can use SCMP_ACT_NOTIFY without any risk of deadlocking the runtime itself. Closes: containers#1002 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
runc (v1.1.4) accepts the following
.linux.seccomp
configuration (sendmsg
is in theSCMP_ACT_NOTIFY
list), but crun (v1.5, also tested v0.19) just hangs.Reproduction steps:
(In another terminal)
Host: Ubuntu 22.04, kernel 5.15 (x86_64)
This is a blocker for running https://github.com/rootless-containers/bypass4netns with crun.
The text was updated successfully, but these errors were encountered: