nspawn: add "swapcontext()" to seccomp whitelist for user contexts on ppc32 #9485

LionNatsu · 2018-07-02T19:10:20Z

systemd version the issue has been seen with

From 96bedbe nspawn: replace syscall blacklist with a whitelist

... v239 v238 v237 v236 v235.

Unexpected behaviour you saw

Function swapcontext is out of system call filter whitelist of nspawn. Anyone of {get,set,make,swap}context is not available on PowerPC 32-bit (i.e. PPC32) container by default.

Use case: Fibers of Ruby is not available in PPC32 container.
https://bugs.ruby-lang.org/issues/14883

Steps to reproduce the problem

Part. 1

nspawn a PPC32 container, run Ruby code:

fib = Enumerator.new do |y|
  y << "FOO"
  y << "BAR"
end
puts fib.next

It should print "FOO", but it segmentation fault.

Part. 2

#include <ucontext.h>
#include <errno.h>
int main() {
    ucontext_t c;
    if (getcontext(&c) < 0)
        return errno;
    return 0;
}

It should return 0, but it returned 1 (EPERM).

Notes

A fiber uses getcontext() function to get the current context, to construct a new context, and uses makecontext() to switch context, so we have a nice lightweight userspace "thread" (or coroutine, fiber etc.).

The underlying call of getcontext() depends on architectures.

I checked source code from glibc (/sysdeps/unix/sysv/linux):

aarch64: rt_sigprocmask
sparc64: trap 0x6e
sparc32: rt_sigprocmask
sh3: sigprocmask
sh4: sigprocmask
i386: sigprocmask
arm: sigprocmask
powerpc64: sigprocmask
powerpc32: swapcontext
alpha: osf_sigprocmask
s390-32: rt_sigprocmask
s390-64: rt_sigprocmask
nios2: rt_sigprocmask
ia64: rt_sigprocmask
hppa: sigprocmask
x86_64: rt_sigprocmask
m680x0: sigprocmask

We already have {,rt_}sigprocmask in whitelist now (@signal), but there is no swapcontext.

systemd/src/shared/seccomp-util.c

Lines 723 to 740 in 2479c4f

    
           [SYSCALL_FILTER_SET_SIGNAL] = { 
        
                   .name = "@signal", 
        
                   .help = "Process signal handling", 
        
                   .value = 
        
                   "rt_sigaction\0" 
        
                   "rt_sigpending\0" 
        
                   "rt_sigprocmask\0" 
        
                   "rt_sigsuspend\0" 
        
                   "rt_sigtimedwait\0" 
        
                   "sigaction\0" 
        
                   "sigaltstack\0" 
        
                   "signal\0" 
        
                   "signalfd\0" 
        
                   "signalfd4\0" 
        
                   "sigpending\0" 
        
                   "sigprocmask\0" 
        
                   "sigsuspend\0" 
        
           },

The syscall swapcontext() is a kind of mixture of {get,set,make,swap}context. Semantically it may be not suitable for @signal, we can put it in here:

systemd/src/nspawn/nspawn-seccomp.c

Lines 57 to 60 in 2479c4f

    
           /* Plus a good set of additional syscalls which are not part of any of the groups above */ 
        
           { 0,                  "brk"                    }, 
        
           { 0,                  "capget"                 }, 
        
           { 0,                  "capset"                 },

The text was updated successfully, but these errors were encountered:

poettering · 2018-07-02T19:47:52Z

hmm, I'd probably add it to @process. after all a coroutine is a bit like a thread, and that's where we placed child process and thread creation syscalls... Could you prep a PR for this? We don't have access to ppc, hence rely on testing/submission for more exotic archs like this one.

systemd/systemd#9485 https://bugs.ruby-lang.org/issues/14883

There are some modern programming languages use userspace context switches to implement coroutine features. PowerPC (32-bit) needs syscall "swapcontext" to get contexts or switch between contexts, which is special. Adding this rule should fix systemd#9485.

LionNatsu · 2018-07-02T21:01:09Z

Could you prep a PR for this? We don't have access to ppc, hence rely on testing/submission for more exotic archs like this one.

Sure, and it works fine here now.

There are some modern programming languages use userspace context switches to implement coroutine features. PowerPC (32-bit) needs syscall "swapcontext" to get contexts or switch between contexts, which is special. Adding this rule should fix #9485.

There are some modern programming languages use userspace context switches to implement coroutine features. PowerPC (32-bit) needs syscall "swapcontext" to get contexts or switch between contexts, which is special. Adding this rule should fix systemd#9485. (cherry picked from commit a9518dc)

This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>

This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net> (cherry picked from commit 85eaf23) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

LionNatsu added a commit to AOSC-Archive/ciel that referenced this issue Jul 2, 2018

nspawn: add swapcontext to libseccomp whitelist for PPC32

b0feec4

systemd/systemd#9485 https://bugs.ruby-lang.org/issues/14883

poettering added needs-patch seccomp labels Jul 2, 2018

LionNatsu mentioned this issue Jul 2, 2018

seccomp: add swapcontext into @process for ppc32 #9487

Merged

poettering closed this as completed in #9487 Jul 3, 2018

nmeum mentioned this issue Dec 18, 2021

seccomp: add support for "swapcontext" syscall in default policy moby/moby#43092

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nspawn: add "swapcontext()" to seccomp whitelist for user contexts on ppc32 #9485

nspawn: add "swapcontext()" to seccomp whitelist for user contexts on ppc32 #9485

LionNatsu commented Jul 2, 2018 •

edited

poettering commented Jul 2, 2018

LionNatsu commented Jul 2, 2018 •

edited

nspawn: add "swapcontext()" to seccomp whitelist for user contexts on ppc32 #9485

nspawn: add "swapcontext()" to seccomp whitelist for user contexts on ppc32 #9485

Comments

LionNatsu commented Jul 2, 2018 • edited

Part. 1

Part. 2

poettering commented Jul 2, 2018

LionNatsu commented Jul 2, 2018 • edited

LionNatsu commented Jul 2, 2018 •

edited

LionNatsu commented Jul 2, 2018 •

edited