seccomp: officially define the list of syscalls required by runc itself

[AkihiroSuda]

There are some syscalls that needs to be enabled to use seccomp mode, but currently these syscalls are not documented.

Also wondering OCI Runtime Spec needs to be revised https://github.com/opencontainers/runtime-spec/blob/a950415649c735f9fd9ec3b8869efef24b67cef4/config-linux.md#seccomp

[AkihiroSuda]

@cyphar

[vrothberg]

It would be great to have a set of syscalls required for that. We recently hit the exact issue in our GSoC project (tracing syscalls via eBPF). We collected the following syscalls in runc while we need the syscalls after prctl (i.e., starting with index 13) for seccomp mode.

["0_nanosleep","1_futex","2_brk","3_epoll_pwait","4_openat",
"5_epoll_ctl","6_getdents64","7_newfstatat","8_close","9_fcntl",
"10_capget","11_read","12_prctl","13_fstat","14_fchown",
"15_setgroups","16_setgid","17_setuid","18_capset","19_chdir",
"20_getppid","21_write","22_execve", ...]

FYI @giuseppe @rhatdan @weirdwiz

[AkihiroSuda]

To run docker.io/library/hello-world (which only calls write(2) and exit(2)) with a spec generated by runc spec, I found I need to enable the following list:

    "seccomp": {
      "defaultAction": "SCMP_ACT_ERRNO",
      "architectures": [
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
      ],
      "syscalls": [
        {
          "names": [
            "epoll_pwait",
            "execve",
            "exit",
            "futex",
            "write"
          ],
          "action": "SCMP_ACT_ALLOW"
        }
      ]
    },

However, this list still doesn't seem enough to run the image with a spec generated by Docker.

(runc version: 425e105)

[vrothberg]

Interesting. Maybe the execution paths are slightly different. I used

[~]$ runc --version
runc version 1.0.0-rc8+dev
commit: e3b4c1108f7d1bf0d09ab612ea09927d9b59b4e3
spec: 1.0.1-dev

[AkihiroSuda]

This seems the minimal requirement for docker run -it --rm --security-opt seccomp=a.json hello-world

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": [
    "SCMP_ARCH_X86_64"
  ],
  "syscalls": [
    {
      "names": [
        "capget",
        "capset",
        "chdir",
        "close",
        "epoll_pwait",
        "execve",
        "fchown",
        "fstat",
        "futex",
        "getdents64",
        "getppid",
        "newfstatat",
        "openat",
        "prctl",
        "read",
        "setgid",
        "setgroups",
        "setuid",
        "write"
      ],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

docker version:

Client:
 Version:           19.09.0-dev
 API version:       1.40
 Go version:        go1.12.7
 Git commit:        8560f9e8
 Built:             Fri Jul 26 10:16:12 2019
 OS/Arch:           linux/amd64
 Experimental:      true

Server:
 Engine:
  Version:          dev
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.12.7
  Git commit:       11e48badcb
  Built:            Fri Jul 26 10:15:06 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.7
  GitCommit:        85f6aa58b8a3170aec9824568f7a31832878b603
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

[cyphar]

We have moved the seccomp application stage a few times, so you might end up with some fairly weird results. In theory the only place where we need syscalls is in the last few stages after InitSeccomp here.