error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

[chenk008]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Failed to start container with runc.

Steps to reproduce the issue:

I have installed the latest release version runc.

podman run --runtime /usr/sbin/runc --cgroup-manager=cgroupfs --network=host --pid=host --ipc=host centos:8 ls -al /sys/fs/cgroup/memory/

Describe the results you received:

Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

Describe the results you expected:

Container can start successfully.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

# podman -v
podman version 3.2.2

# runc -v
runc version 1.0.1
commit: v1.0.1-0-g4144b63817eb
spec: 1.0.2-dev
go: go1.16.5
libseccomp: 2.5.1

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 1
  distribution:
    distribution: ubuntu
    version: "20.10"
  eventLogger: journald
  hostname: eefb2b2ee52b
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.14.231-173.361.amzn2.x86_64
  linkmode: dynamic
  memFree: 190509056
  memTotal: 1031061504
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1.5-925d-dirty
      commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 1131h 31m 43.37s (Approximately 47.12 days)
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 38
    paused: 0
    running: 1
    stopped: 37
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.2
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.7
  OsArch: linux/amd64
  Version: 3.2.2

Package info (e.g. output of rpm -q podman or apt list podman):

# apt list podman
Listing... Done
podman/unknown,now 100:3.2.2-1 amd64 [installed]
podman/unknown 100:3.2.2-1 arm64
podman/unknown 100:3.2.2-1 armhf
podman/unknown 100:3.2.2-1 s390x

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

[rhatdan]

Does this work with crun? Could you make sure you have the latest runc 1.0.1?

[chenk008]

@rhatdan It works with runc. And I have downloaded the latest runc 1.0.1 from https://github.com/opencontainers/runc/releases, I think it's the latest runc 1.0.1.

[unknowndevQwQ]

@rhatdan It works with runc. And I have downloaded the latest runc 1.0.1 from https://github.com/opencontainers/runc/releases, I think it's the latest runc 1.0.1.

Try #10885 (comment)
If you are using Arch/Manjaro

[rhatdan]

@giuseppe @AkihiroSuda Any idea what is going on? Is this a problem with an older libseccomp?

[giuseppe]

A too old runc. runc 1.0 works fine

[unknowndevQwQ]

A too old runc. runc 1.0 works fine

I used https://github.com/opencontainers/runc/releases/download/v1.0.1/runc.amd64 but still have the same problem

./runc.amd64 --version:

runc version 1.0.1
commit: v1.0.1-0-g4144b63817eb
spec: 1.0.2-dev
go: go1.16.5
libseccomp: 2.5.1

[unknowndevQwQ]

@giuseppe Can you post the output of runc --version?

[mheon]

If runc is new enough, it's possible libseccomp is not.

[kolyshkin]

Well, I just discovered this independently. The fix is opencontainers/runc#3109

[kolyshkin]

For some reason, podman do not set "defaultErrnoRet": 38 on my system, although it is set in /usr/share/containers/seccomp.json.

[kir@kir-rhat common]$ grep default /usr/share/containers/seccomp.json 
	"defaultAction": "SCMP_ACT_ERRNO",
	"defaultErrnoRet": 38,
[kir@kir-rhat common]$ podman run -d fedora sleep 1h
d7e1cbad58a52998ac5e3a950ceb40c385a8bf8fb8f3eed6aa14fa721b3f33df
[kir@kir-rhat common]$ jq < /home/kir/.local/share/containers/storage/overlay-containers/d7e1cbad58a52998ac5e3a950ceb40c385a8bf8fb8f3eed6aa14fa721b3f33df/userdata/config.json | grep default
      "defaultAction": "SCMP_ACT_ERRNO",

... and so there are redundant rules, that were always rejected by runc:

[kir@kir-rhat common]$ jq .linux.seccomp < /home/kir/.local/share/containers/storage/overlay-containers/d7e1cbad58a52998ac5e3a950ceb40c385a8bf8fb8f3eed6aa14fa721b3f33df/userdata/config.json | head -50
{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ],
  "syscalls": [
    {
      "names": [
        "bdflush",
        "io_pgetevents",
        "kexec_file_load",
        "kexec_load",
        "migrate_pages",
        "move_pages",
        "nfsservctl",
        "nice",
        "oldfstat",
        "oldlstat",
        "oldolduname",
        "oldstat",
        "olduname",
        "pciconfig_iobase",
        "pciconfig_read",
        "pciconfig_write",
        "sgetmask",
        "ssetmask",
        "swapcontext",
        "swapoff",
        "swapon",
        "sysfs",
        "uselib",
        "userfaultfd",
        "ustat",
        "vm86",
        "vm86old",
        "vmsplice"
      ],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1
    },
    {
      "names": [
        "_llseek",
        "_newselect",
        "accept",
        "accept4",
        "access",
        "adjtimex",
[kir@kir-rhat common]$ 

[kolyshkin]

[kir@kir-rhat common]$ rpm -q podman containers-common
podman-3.2.2-1.fc34.x86_64
containers-common-1-20.fc34.noarch

I think this was recently fixed by #10690, and did not made its way to F34 yet.

Confirming that latest git tip works:

[kir@kir-rhat libpod]$ ./bin/podman version
Version:      3.3.0-dev
API Version:  3.3.0-dev
Go Version:   go1.16.5
Git Commit:   e6fb92f4782e2405d051c0ff1fcd13796c4cd575
Built:        Fri Jan  2 02:15:45 1970
OS/Arch:      linux/amd64
[kir@kir-rhat libpod]$ ./bin/podman run -d fedora sleep 1h
6d7eb4c152e070b00a1d18204fcbbe17a7d16818707f85c2cad7eaf49cd8dc67
[kir@kir-rhat libpod]$ jq < /home/kir/.local/share/containers/storage/overlay-containers/6d7eb4c152e070b00a1d18204fcbbe17a7d16818707f85c2cad7eaf49cd8dc67/userdata/config.json | grep efau
      "defaultAction": "SCMP_ACT_ERRNO",
      "defaultErrnoRet": 38,
[kir@kir-rhat libpod]$ ./bin/podman run --runtime=/usr/bin/runc fedora echo works
works

[kolyshkin]

I think this was recently fixed by #10690

... which brings in containers/common#573