runtime-tools icon indicating copy to clipboard operation
runtime-tools copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

seccomp: Separate conditions for personality syscall into single rule

Open ManaSugi opened this issue 3 years ago • 1 comments

Separate each syscall condition (argument) for personality syscall into a single rule because the libseccomp can only compare each condition once in a single rule. Otherwise, the adding returns EINVAL on failure. In order to address the failure, general OCI runtimes such as runc add each condition as a separate rule if two or more conditions have the same conditions, but this is a way for keeping compatibility (old behavior). Hence, it will lead wrong behavior because the conditions for the rules will be logical-OR instead of logical-AND. In case of the OCI tests for personality syscall, we should explicitly separate the conditions into a single rule as logical-OR for container runtimes that do not support the above old behavior.

Ref. https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html

Signed-off-by: Manabu Sugimoto [email protected]

ManaSugi avatar Aug 16 '22 05:08 ManaSugi

@vbatts @kolyshkin @mrunalp I’d appreciate it if you could review this.

ManaSugi avatar Sep 06 '22 11:09 ManaSugi

@vbatts @kolyshkin @mrunalp @giuseppe PTAL

rhatdan avatar Oct 12 '22 23:10 rhatdan

close/reopen to re-kick CI

kolyshkin avatar Oct 13 '22 23:10 kolyshkin