Re: seccomp: Delay filter activation

[Rodrigo Campos]

On Thu, Mar 18, 2021 at 9:39 PM Sargun Dhillon <sargun@xxxxxxxxx> wrote:
> I believe that the OCI spec[2] is going to run into this class of problem unless
> we introduce an out of band signaling mechanism. I think a valid way to handle
> this is do a send() of the fd number (literal), and wait for the other side to
> pidfd_getfd the seccomp filter, and wait for the socket to be closed to continue,
> but I think we should maybe create an example (I volunteer) showing how to do this.

Well, we created a runc implementation for that OCI spec change and we
hit exactly that[1].

runc has a pipe mechanism to communicate already, so we use that. What
we do is: do the seccomp syscall, send the plain fd number over the
pipe and the parent gets the fd with pidfd_getfd()[2]. We use the pipe
to sync, so no issues with that part.

But, of course, if the seccomp filter blocks the syscall to send over
the pipe, this fails.

Christian, can you please elaborate on how you solve this on lxd? I'm
curious to understand if we can use the same in runc or not.


[1]: https://github.com/opencontainers/runc/pull/2682
[2]: https://github.com/opencontainers/runc/pull/2682/files#diff-f0214a0f16408fc7f168c6fc9837d189590025cc1813ebf7c1d751136936dfbfR172
-- 
Rodrigo Campos
---
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364
Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000