Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add available LinuxSeccompFlags #1138

Merged
merged 1 commit into from
Jul 18, 2022
Merged

Add available LinuxSeccompFlags #1138

merged 1 commit into from
Jul 18, 2022

Conversation

saschagrunert
Copy link
Contributor

We now list the available LinuxSeccompFlag values as part of the runtime spec.

cc @alban

@saschagrunert saschagrunert mentioned this pull request Feb 23, 2022
Merged
alban
alban reviewed Feb 23, 2022
View reviewed changes
specs-go/config.go Outdated
Comment on lines 625 to 631
// LinuxSeccompFlagTsync is the filter to synchronize all other threads of
// the calling process to the same seccomp filter tree. A "filter tree" is
// the ordered list of filters attached to a thread. (Attaching identical
// filters in separate seccomp() calls results in different filters from
// this perspective.)
LinuxSeccompFlagTsync LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_TSYNC"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With @rata we were discussing whether to remove tsync from the spec. In the context of container runtimes, the process will call seccomp() before exec() to the entrypoint, so all other threads, if any, will be terminated anyway, so tsync does not make a difference.

Examples:

  • AFAIU crun is not multithreaded, so tsync is meaningless
  • runc is written in Go so multithreaded, but uses libseccomp-golang that always set tsync: it's not configurable because threads and Go routine are not necessarily tightly coupled.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec still lists all three as available:
https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp

I'm a bit concerned that it will cause confusion if we remove it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added it without thinking if it made any sense as I've copied all the existing flags. I agree that it is pointless in the OCI specs, and we could drop it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it should be removed, I think it should be marked as deprecated.

See this: #1077

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good, removed it from the code now.

alban
alban reviewed Feb 23, 2022
View reviewed changes
specs-go/config.go Outdated Show resolved Hide resolved
alban
alban reviewed Feb 23, 2022
View reviewed changes
specs-go/config.go Outdated Show resolved Hide resolved
rata
rata reviewed Feb 23, 2022
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a side note, there is already an open PR doing this: #1108

specs-go/config.go Outdated
Comment on lines 625 to 631
// LinuxSeccompFlagTsync is the filter to synchronize all other threads of
// the calling process to the same seccomp filter tree. A "filter tree" is
// the ordered list of filters attached to a thread. (Attaching identical
// filters in separate seccomp() calls results in different filters from
// this perspective.)
LinuxSeccompFlagTsync LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_TSYNC"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it should be removed, I think it should be marked as deprecated.

See this: #1077

specs-go/config.go Outdated
Comment on lines 626 to 630
// LinuxSeccompFlagTsync is the filter to synchronize all other threads of
// the calling process to the same seccomp filter tree. A "filter tree" is
// the ordered list of filters attached to a thread. (Attaching identical
// filters in separate seccomp() calls results in different filters from
// this perspective.)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I pointed out in another PR doing the same, I don't think we should add a const for this: #1108 (comment)

@saschagrunert @alban
Add available LinuxSeccompFlags
e78a3c3 
We now list the available `LinuxSeccompFlag` values as part of the
runtime spec.

Signed-off-by: Sascha Grunert <[email protected]>
Co-authored-by: Alban Crequy <[email protected]>
Signed-off-by: Sascha Grunert <[email protected]>
@rata
Copy link
Member

rata commented Feb 23, 2022

@saschagrunert thanks, this SGTM. It is also handling the comments that were raised by @tianon in the other PR.

I'd cc @thaJeztah and @tianon just in case. I don't mind which PR ends up being merged, but IMO there should be some coordination with authors of the other PR :)

vbatts
vbatts approved these changes Apr 20, 2022
View reviewed changes
specs-go/config.go
// override this filter flag by preventing specific actions from being
// logged via the /proc/sys/kernel/seccomp/actions_logged file. (since
// Linux 4.14)
LinuxSeccompFlagLog LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_LOG"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thaJeztah since the name of these variables is different than in your PR (FlagLog and FlagAllow) I'm wondering if Docker/moby has already used your variables?
I'm inclined to merge this PR given the robust comments and that it drops the TS_SYNC flag that @rata called out

kolyshkin
kolyshkin approved these changes Jun 30, 2022
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AkihiroSuda
Copy link
Member

ping @opencontainers/runtime-spec-maintainers

@tianon tianon merged commit a8106e9 into opencontainers:main Jul 18, 2022
@tianon tianon mentioned this pull request Jul 18, 2022
Closed
@saschagrunert saschagrunert deleted the seccomp-filter-flags branch July 19, 2022 06:58
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 24, 2023
Merged
@AkihiroSuda AkihiroSuda added this to the v1.1.0 milestone Feb 1, 2023
@AkihiroSuda AkihiroSuda mentioned this pull request Jun 26, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rata rata rata left review comments

@alban alban alban left review comments

@kolyshkin kolyshkin kolyshkin approved these changes

@tianon tianon tianon approved these changes

@vbatts vbatts vbatts approved these changes

@crosbymichael crosbymichael Awaiting requested review from crosbymichael crosbymichael is a code owner

@cyphar cyphar Awaiting requested review from cyphar cyphar is a code owner

@dqminh dqminh Awaiting requested review from dqminh dqminh is a code owner

@giuseppe giuseppe Awaiting requested review from giuseppe giuseppe is a code owner

@hqhq hqhq Awaiting requested review from hqhq hqhq is a code owner

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
8 participants
@saschagrunert @rata @AkihiroSuda @alban @vbatts @giuseppe @tianon @kolyshkin