workspaces-issues icon indicating copy to clipboard operation
workspaces-issues copied to clipboard

Published 20 hours ago verified publisher icon kasmtech

Custom Seccomp Policy with custom path not working

Open moj02090 opened this issue 6 months ago • 0 comments

Describe the bug I tried to use a custom seccomp policy with my custom workspace image to run apps like chrome or vscode with sandbox feature.

When I define "seccomp=/opt/kasm/customfiles/seccomp.json" in the docker run override I cant start my container and get an error message. If i define "unconfined" it works.

System Description cat /etc/os-release uname -a PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy Linux vps02 5.15.0-117-generic kasmtech/KasmVNC#127-Ubuntu SMP Fri Jul 5 20:13:28 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

KasmVNC Details linuxserver/kasm docker image 1.15.0.577587

To Reproduce

  1. Go to 'Workspaces'
  2. Click on a workspace and edit
  3. Define in docker run config override a custom seccomp profile with a path "/opt/customseccomp/myseccomp.json
  4. try to start image
  5. see in logs -> Failed to start container for kasm_id (9acebc4f-56ea-433e-aa81-eb61536e9d65) : 500 Server Error for http+docker://localhost/v1.46/containers/06d4b334e3a278b307c7b7b08d04709dcc8096595d0ac4a8f713df3241125c8f/start: Internal Server Error ("Decoding seccomp profile failed: invalid character '\'' looking for beginning of value")

&

Exception creating Kasm: Traceback (most recent call last):
  File "docker/api/client.py", line 268, in _raise_for_status
  File "requests/models.py", line 1021, in raise_for_status
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.46/containers/5af6a1c4b68a85b216d1ac32515424a06574fdbe378d05d3b8cf60f97cbef7ad/start

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "__init__.py", line 573, in post
  File "provision.py", line 1871, in provision
  File "provision.py", line 1863, in provision
  File "docker/models/containers.py", line 818, in run
  File "docker/models/containers.py", line 404, in start
  File "docker/utils/decorators.py", line 19, in wrapped
  File "docker/api/container.py", line 1111, in start
  File "docker/api/client.py", line 270, in _raise_for_status
  File "docker/errors.py", line 31, in create_api_error_from_http_exception
docker.errors.APIError: 500 Server Error for http+docker://localhost/v1.46/containers/5af6a1c4b68a85b216d1ac32515424a06574fdbe378d05d3b8cf60f97cbef7ad/start: Internal Server Error ("Decoding seccomp profile failed: invalid character '/' looking for beginning of value")
Traceback (most recent call last):
  File "docker/api/client.py", line 268, in _raise_for_status
  File "requests/models.py", line 1021, in raise_for_status
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.46/containers/5af6a1c4b68a85b216d1ac32515424a06574fdbe378d05d3b8cf60f97cbef7ad/start

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "__init__.py", line 573, in post
  File "provision.py", line 1871, in provision
  File "provision.py", line 1863, in provision
  File "docker/models/containers.py", line 818, in run
  File "docker/models/containers.py", line 404, in start
  File "docker/utils/decorators.py", line 19, in wrapped
  File "docker/api/container.py", line 1111, in start
  File "docker/api/client.py", line 270, in _raise_for_status
  File "docker/errors.py", line 31, in create_api_error_from_http_exception
docker.errors.APIError: 500 Server Error for http+docker://localhost/v1.46/containers/5af6a1c4b68a85b216d1ac32515424a06574fdbe378d05d3b8cf60f97cbef7ad/start: Internal Server Error ("Decoding seccomp profile failed: invalid character '/' looking for beginning of value")

The Docker run ovveride looks like

{
  "hostname": "Cloud-Desktop",
  "security_opt": [
    "seccomp=/opt/kasm/customfiles/seccomp.json"
  ],
  "environment": {
    "KASM_PRINTER_NAME": "Cloud-Printer"
  },
  "extra_hosts": {
    "testing1.example.com": "10.0.0.1",
    "testing2.example.com": "10.0.0.2",
    "testing3.example.com": "10.0.0.3"
  }
}

Expected behavior The container should start and append the custom seccomp

Additional context I also tried only a file name ( "seccomp=test.json") and get following error: Internal Server Error ("Decoding seccomp profile failed: invalid character 'e' in literal true (expecting 'r')")

The file does not exist, does anyone know in which path i have to copy the file to test?

moj02090 avatar Jul 29 '24 11:07 moj02090