mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
Implement Seccomp Notify
This commit implements support for the SCMP_ACT_NOTIFY action. It requires libseccomp-2.5.0 to work but runc still works with older libseccomp if the seccomp policy does not use the SCMP_ACT_NOTIFY action. A new synchronization step between runc[INIT] and runc run is introduced to pass the seccomp fd. runc run fetches the seccomp fd with pidfd_get from the runc[INIT] process and sends it to the seccomp agent using SCM_RIGHTS. As suggested by @kolyshkin, we also make writeSync() a wrapper of writeSyncWithFd() and wrap the error there. To avoid pointless errors, we made some existing code paths just return the error instead of re-wrapping it. If we don't do it, error will look like: writing syncT <act>: writing syncT: <err> By adjusting the code path, now they just look like this writing syncT <act>: <err> Signed-off-by: Alban Crequy <alban@kinvolk.io> Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io> Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
This commit is contained in:
committed by
Rodrigo Campos
parent
4e7aeff610
commit
2b025c0173
@@ -156,7 +156,12 @@ func (l *linuxStandardInit) Init() error {
|
||||
// do this before dropping capabilities; otherwise do it as late as possible
|
||||
// just before execve so as few syscalls take place after it as possible.
|
||||
if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
|
||||
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
|
||||
seccompFd, err := seccomp.InitSeccomp(l.config.Config.Seccomp)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := syncParentSeccomp(l.pipe, seccompFd); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
@@ -181,6 +186,21 @@ func (l *linuxStandardInit) Init() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// Set seccomp as close to execve as possible, so as few syscalls take
|
||||
// place afterward (reducing the amount of syscalls that users need to
|
||||
// enable in their seccomp profiles). However, this needs to be done
|
||||
// before closing the pipe since we need it to pass the seccompFd to
|
||||
// the parent.
|
||||
if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
|
||||
seccompFd, err := seccomp.InitSeccomp(l.config.Config.Seccomp)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to init seccomp: %w", err)
|
||||
}
|
||||
|
||||
if err := syncParentSeccomp(l.pipe, seccompFd); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
// Close the pipe to signal that we have completed our init.
|
||||
logrus.Debugf("init: closing the pipe to signal completion")
|
||||
_ = l.pipe.Close()
|
||||
@@ -202,6 +222,7 @@ func (l *linuxStandardInit) Init() error {
|
||||
if _, err := unix.Write(fd, []byte("0")); err != nil {
|
||||
return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
|
||||
}
|
||||
|
||||
// Close the O_PATH fifofd fd before exec because the kernel resets
|
||||
// dumpable in the wrong order. This has been fixed in newer kernels, but
|
||||
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
|
||||
@@ -209,14 +230,6 @@ func (l *linuxStandardInit) Init() error {
|
||||
// since been resolved.
|
||||
// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
|
||||
_ = unix.Close(l.fifoFd)
|
||||
// Set seccomp as close to execve as possible, so as few syscalls take
|
||||
// place afterward (reducing the amount of syscalls that users need to
|
||||
// enable in their seccomp profiles).
|
||||
if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
|
||||
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
|
||||
return fmt.Errorf("unable to init seccomp: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
s := l.config.SpecState
|
||||
s.Pid = unix.Getpid()
|
||||
|
||||
Reference in New Issue
Block a user