Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: patchbpf: always include native architecture in stub #4219

Merged
merged 2 commits into from
Mar 29, 2024
Merged

seccomp: patchbpf: always include native architecture in stub #4219

merged 2 commits into from
Mar 29, 2024

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Mar 13, 2024

It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d716 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt [email protected]
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar added this to the 1.2.0 milestone Mar 13, 2024
@cyphar
Copy link
Member Author

cyphar commented Mar 21, 2024

We'Ve confirmed this fixes the issue on ppc64le. For background, this issue means that our ENOSYS stub has never worked on ppc64le with Docker's default profile 😰.

kolyshkin
kolyshkin approved these changes Mar 28, 2024
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyphar
seccomp: patchbpf: rename nativeArch -> linuxAuditArch
b288abe 
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
seccomp: patchbpf: always include native architecture in stub
ccc500c 
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d716 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <[email protected]>
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar merged commit a1acca9 into opencontainers:main Mar 29, 2024
45 checks passed
@cyphar cyphar deleted the seccomp-patchbpf-ppc64le branch March 29, 2024 01:48
@cyphar cyphar mentioned this pull request Apr 2, 2024
Merged
@cyphar cyphar mentioned this pull request Aug 8, 2024
Open
@cyphar cyphar mentioned this pull request Sep 3, 2024
Merged
@lifubang lifubang added the backport/1.1-done A PR in main branch which has been backported to release-1.1 label Sep 3, 2024
@cyphar cyphar mentioned this pull request Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees
No one assigned
Labels
area/seccomp backport/1.1-done A PR in main branch which has been backported to release-1.1
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@cyphar @kolyshkin @AkihiroSuda @lifubang