rpms / moby-engine

Clone
Source Code
GIT

#9 Fix rhbz#2010508, rhbz#2011523, and rhbz#1988199.
Merged 2 years ago by olem. Opened 2 years ago by gotmax23.
rpms/ gotmax23/moby-engine rawhide  into  rawhide

file modified
+2 
@@ -21,3 +21,5 @@ 
 

  /cli-v20.10.7.tar.gz
 

  /cli-v20.10.8.tar.gz
 

  /moby-v20.10.8.tar.gz
 

+ /cli-v20.10.9.tar.gz
 

+ /moby-v20.10.9.tar.gz

file added
+189 
@@ -0,0 +1,189 @@ 
 

+ From 567c01f6d157cf6c1f39d68e9ca62e76d7834558 Mon Sep 17 00:00:00 2001
 

+ From: Tianon Gravi <admwiggin@gmail.com>
 

+ Date: Thu, 9 Sep 2021 11:31:30 -0700
 

+ Subject: [PATCH] seccomp: add support for "clone3" syscall in default policy
 

+ MIME-Version: 1.0
 

+ Content-Type: text/plain; charset=UTF-8
 

+ Content-Transfer-Encoding: 8bit
 

+ 

+ This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
 

+ 

+ Original commit message is as follows:
 

+ 

+ > If no seccomp policy is requested, then the built-in default policy in
 

+ > dockerd applies. This has no rule for "clone3" defined, nor any default
 

+ > errno defined. So when runc receives the config it attempts to determine
 

+ > a default errno, using logic defined in its commit:
 

+ >
 

+ >   opencontainers/runc@7a8d716
 

+ >
 

+ > As explained in the above commit message, runc uses a heuristic to
 

+ > decide which errno to return by default:
 

+ >
 

+ > [quote]
 

+ >   The solution applied here is to prepend a "stub" filter which returns
 

+ >   -ENOSYS if the requested syscall has a larger syscall number than any
 

+ >   syscall mentioned in the filter. The reason for this specific rule is
 

+ >   that syscall numbers are (roughly) allocated sequentially and thus newer
 

+ >   syscalls will (usually) have a larger syscall number -- thus causing our
 

+ >   filters to produce -ENOSYS if the filter was written before the syscall
 

+ >   existed.
 

+ > [/quote]
 

+ >
 

+ > Unfortunately clone3 appears to one of the edge cases that does not
 

+ > result in use of ENOSYS, instead ending up with the historical EPERM
 

+ > errno.
 

+ >
 

+ > Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
 

+ > clone3 by default. If it sees ENOSYS then it will automatically
 

+ > fallback to using clone. Any other errno is treated as a fatal
 

+ > error. Thus when docker seccomp policy triggers EPERM from clone3,
 

+ > no fallback occurs and programs are thus unable to spawn threads.
 

+ >
 

+ > The clone3 syscall is much more complicated than clone, most notably its
 

+ > flags are not exposed as a directly argument any more. Instead they are
 

+ > hidden inside a struct. This means that seccomp filters are unable to
 

+ > apply policy based on values seen in flags. Thus we can't directly
 

+ > replicate the current "clone" filtering for "clone3". We can at least
 

+ > ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
 

+ > at which point we can filter on flags.
 

+ 

+ Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
 

+ Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
 

+ ---
 

+  profiles/seccomp/default.json     | 16 ++++++++++++++++
 

+  profiles/seccomp/default_linux.go | 13 +++++++++++++
 

+  profiles/seccomp/seccomp.go       |  1 +
 

+  profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
 

+  4 files changed, 42 insertions(+), 16 deletions(-)
 

+ 

+ diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
 

+ index 4213799ddb5..ee5e04f781a 100644
 

+ --- a/profiles/seccomp/default.json
 

+ +++ b/profiles/seccomp/default.json
 

+ @@ -591,6 +591,7 @@
 

+  			"names": [
 

+  				"bpf",
 

+  				"clone",
 

+ +				"clone3",
 

+  				"fanotify_init",
 

+  				"fsconfig",
 

+  				"fsmount",
 

+ @@ -670,6 +671,21 @@
 

+  				]
 

+  			}
 

+  		},
 

+ +		{
 

+ +			"names": [
 

+ +				"clone3"
 

+ +			],
 

+ +			"action": "SCMP_ACT_ERRNO",
 

+ +			"errnoRet": 38,
 

+ +			"args": [],
 

+ +			"comment": "",
 

+ +			"includes": {},
 

+ +			"excludes": {
 

+ +				"caps": [
 

+ +					"CAP_SYS_ADMIN"
 

+ +				]
 

+ +			}
 

+ +		},
 

+  		{
 

+  			"names": [
 

+  				"reboot"
 

+ diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
 

+ index 879eb88c64f..fb593f336f7 100644
 

+ --- a/profiles/seccomp/default_linux.go
 

+ +++ b/profiles/seccomp/default_linux.go
 

+ @@ -42,6 +42,7 @@ func arches() []Architecture {
 

+  

+  // DefaultProfile defines the allowed syscalls for the default seccomp profile.
 

+  func DefaultProfile() *Seccomp {
 

+ +	nosys := uint(unix.ENOSYS)
 

+  	syscalls := []*Syscall{
 

+  		{
 

+  			Names: []string{
 

+ @@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
 

+  			Names: []string{
 

+  				"bpf",
 

+  				"clone",
 

+ +				"clone3",
 

+  				"fanotify_init",
 

+  				"fsconfig",
 

+  				"fsmount",
 

+ @@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
 

+  				Caps: []string{"CAP_SYS_ADMIN"},
 

+  			},
 

+  		},
 

+ +		{
 

+ +			Names: []string{
 

+ +				"clone3",
 

+ +			},
 

+ +			Action:   specs.ActErrno,
 

+ +			ErrnoRet: &nosys,
 

+ +			Args:     []*specs.LinuxSeccompArg{},
 

+ +			Excludes: Filter{
 

+ +				Caps: []string{"CAP_SYS_ADMIN"},
 

+ +			},
 

+ +		},
 

+  		{
 

+  			Names: []string{
 

+  				"reboot",
 

+ diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
 

+ index d2a21cddc4b..9edec72db54 100644
 

+ --- a/profiles/seccomp/seccomp.go
 

+ +++ b/profiles/seccomp/seccomp.go
 

+ @@ -45,6 +45,7 @@ type Syscall struct {
 

+  	Name     string                   `json:"name,omitempty"`
 

+  	Names    []string                 `json:"names,omitempty"`
 

+  	Action   specs.LinuxSeccompAction `json:"action"`
 

+ +	ErrnoRet *uint                    `json:"errnoRet,omitempty"`
 

+  	Args     []*specs.LinuxSeccompArg `json:"args"`
 

+  	Comment  string                   `json:"comment"`
 

+  	Includes Filter                   `json:"includes"`
 

+ diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
 

+ index 566f173acd3..e35e242cd50 100644
 

+ --- a/profiles/seccomp/seccomp_linux.go
 

+ +++ b/profiles/seccomp/seccomp_linux.go
 

+ @@ -150,29 +150,25 @@ Loop:
 

+  			}
 

+  		}
 

+  

+ +		newCall := specs.LinuxSyscall{
 

+ +			Action:   call.Action,
 

+ +			ErrnoRet: call.ErrnoRet,
 

+ +		}
 

+  		if call.Name != "" && len(call.Names) != 0 {
 

+  			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
 

+  		}
 

+ -
 

+  		if call.Name != "" {
 

+ -			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
 

+ +			newCall.Names = []string{call.Name}
 

+  		} else {
 

+ -			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
 

+ +			newCall.Names = call.Names
 

+ +		}
 

+ +		// Loop through all the arguments of the syscall and convert them
 

+ +		for _, arg := range call.Args {
 

+ +			newCall.Args = append(newCall.Args, *arg)
 

+  		}
 

+ -	}
 

+ -
 

+ -	return newConfig, nil
 

+ -}
 

+  

+ -func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
 

+ -	newCall := specs.LinuxSyscall{
 

+ -		Names:  names,
 

+ -		Action: action,
 

+ +		newConfig.Syscalls = append(newConfig.Syscalls, newCall)
 

+  	}
 

+  

+ -	// Loop through all the arguments of the syscall and convert them
 

+ -	for _, arg := range args {
 

+ -		newCall.Args = append(newCall.Args, *arg)
 

+ -	}
 

+ -	return newCall
 

+ +	return newConfig, nil
 

+  }

file modified
+12 -4 
@@ -15,12 +15,12 @@ 
 

  

  # moby
 

  %global git_moby https://github.com/%{newname}/%{newname}
 

- %global commit_moby 75249d88bc107a122b503f6a50e89c994331867c
 

+ %global commit_moby 79ea9d3080181d755855d5924d0f4f116faa9463
 

  %global shortcommit_moby %(c=%{commit_moby}; echo ${c:0:7})
 

  

  # cli
 

  %global git_cli https://github.com/%{origname}/cli
 

- %global commit_cli 3967b7d28e15a020e4ee344283128ead633b3e0c
 

+ %global commit_cli c2ea9bc90bacf19bdbe37fd13eec8772432aca99
 

  %global shortcommit_cli %(c=%{commit_cli}; echo ${c:0:7})
 

  

  # tini
 
@@ -29,7 +29,7 @@ 
 

  %global shortcommit_tini %(c=%{commit_tini}; echo ${c:0:7})
 

  

  Name: %{newname}-engine
 

- Version: 20.10.8
 

+ Version: 20.10.9
 

  Release: 1%{?dist}
 

  Summary: The open-source application container engine
 

  License: ASL 2.0
 
@@ -40,6 +40,10 @@ 
 

  Source2: %{git_tini}/archive/%{commit_tini}.tar.gz
 

  Source3: %{service_name}.service
 

  Source4: %{service_name}.sysconfig
 

+ # Apply https://github.com/moby/moby/pull/42836 patch to fix Docker seccomp
 

+ # policy blocking clone3(). Also see rhbz#2011523 and rhbz#1988199.
 

+ # This patch should be part of the next release, so we can remove it then.
 

+ Patch0: 0001-seccomp-add-support-for-clone3-syscall-in-default-policy.patch
 

  URL: https://www.%{origname}.com
 

  

  # BuildRequires: golang-github-docker-devel
 
@@ -362,7 +366,7 @@ 
 

  This package installs %{summary}.
 

  

  %prep
 

- %autosetup -n moby-%{version}
 

+ %autosetup -p1 -n moby-%{version}
 

  

  # untar cli
 

  tar zxf %{SOURCE1}
 
@@ -511,6 +515,10 @@ 
 

  %{_datadir}/nano/Dockerfile.nanorc
 

  

  %changelog
 

+ * Fri Oct 08 2021 Maxwell G <gotmax@e.email> - 20.10.9-1
 

+ - Update to 20.10.9 (fixes rhbz#2010508)
 

+ - Patch seccomp policy to fix clone3() issue (fixes rhbz#2011523 and rhbz#1988199)
 

+ 

  * Sun Aug 15 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.8-1
 

  - Update to upstream 20.10.8 (fixes rhbz#1990148)
 

  - Fix seccomp support (fixes rhbz#1986092)

file modified
+2 -2 
@@ -1,3 +1,3 @@ 
 

- SHA512 (cli-v20.10.8.tar.gz) = 60e9e623180d3cafd8bd6458d02574274871f94e88a0fa461e2200520717e837371a1b5d7fab6c9c4591e64807ab6f560e0756a9cfb1c1c8c9624b1f653346d0
 

- SHA512 (moby-v20.10.8.tar.gz) = 17c0519c8938227c578e5fe37689dd5a362b9673fabe06f98145b6fd5ae99e099a304c5706a84df30a2810855987fd694ac9cae7574023710fd1d99b0ca1aaf8
 

+ SHA512 (cli-v20.10.9.tar.gz) = 0a9bd36c139bb5e1cd4a975913aa5429ffce8c746d2104aa2a54d937c67073ddaa2a8a5e93d71d2d435459af58168de0e7e3a44fd452da535f3995738da206df
 

  SHA512 (de40ad007797e0dcd8b7126f27bb87401d224240.tar.gz) = 6e21fbcc8ab0daf2f2ac407f8d85373d2873d4b1e7d010056e4dd7071183fe1ede9dadf116c520e68a6226d5eb9d5ede383729327630600ed85080c1586bf3bb
 

+ SHA512 (moby-v20.10.9.tar.gz) = e4ae9e37633c821892e929e7a5f9dab652fe17f348a24cd37778bc4bfc33d99cdb347e2f575966364a37664dcfa83d1500f2bff7d0b0398a890f2039155a0c0c

Hi @olem,

In this PR, I updated Moby to the latest version and applied a patch to fix the clone3() issue. I changed the commit_moby and commit_cli variables accordingly. Please see my comments in the specfile and the linked Bugzilla tickets for more information about the clone3() issue. I checked the virtual provides in the # Bundled dependencies section, but there was nothing to change, as the vendor.conf files have not changed since the last release.

I think you have to run fedpkg new-sources before pushing the update; I can't, because I'm not a member of the packager group. That is also why the CI job fails.

This change is also relevant for f35 and f34. Can you please apply it to those branches, as well? I already rebased this patch onto the f35 and f34 branches on my fork, so I can create PRs for those branches if that would be helpful.

Thanks,
Maxwell

I tested the new package on my local machine and confirmed that it fixes the clone3() issue.

rebased onto 43e5a69
2 years ago

Thank you very much @gotmax23. I'm testing your PR.

Pull-Request has been merged by olem
2 years ago

Thank you very much @gotmax23!
Metadata
None
No Tags
Changes Summary 4
+2 -0
file changed
.gitignore
+189
file added
0001-seccomp-add-support-for-clone3-syscall-in-default-policy.patch
+12 -4
file changed
moby-engine.spec
+2 -2
file changed
sources
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.