runc icon indicating copy to clipboard operation
runc copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

Look into using gvisor.dev/gvisor/pkg/seccomp

Open kolyshkin opened this issue 3 years ago • 18 comments

Apparently, https://pkg.go.dev/gvisor.dev/gvisor/pkg/seccomp can potentially be used (instead of libseccomp / libseccomp-golang) to implement seccomp in runc. Need to look into it.

kolyshkin avatar Feb 21 '22 18:02 kolyshkin

Looks like we will have to add a few arch-specific constants to support ppc64le, s390x, arm (32-bit), and other minor architectures.

AkihiroSuda avatar Feb 22 '22 03:02 AkihiroSuda

I don't like the mega dependency on gvisor.dev/gvisor/pkg/*. https://github.com/google/gvisor/blob/e0e9a19bffcb4fd4e545d3942104734f4d911f92/pkg/seccomp/seccomp_unsafe.go#L23 https://github.com/google/gvisor/blob/e0e9a19bffcb4fd4e545d3942104734f4d911f92/pkg/abi/linux/linux_amd64_abi_autogen_unsafe.go#L15-L17

Probably, we should fork gvisor.dev/gvisor/pkg/seccomp and its minimum dependency to another repo. (opencontainers/go-seccomp? moby/sys/seccomp? Or just opencontainers/runc/libcontainer/seccomp?)

AkihiroSuda avatar Feb 22 '22 03:02 AkihiroSuda

This is my simple interest, what is the reason you want to change the seccomp library? Are there any hard spots?

utam0k avatar Mar 26 '22 13:03 utam0k

This is my simple interest, what is the reason you want to change the seccomp library? Are there any hard spots?

Cross-compilation is often cumbersome with cgo. Also, distros' libseccomp is often outdated and lacks support for recently added syscalls

AkihiroSuda avatar Mar 26 '22 13:03 AkihiroSuda

I got it. I'm interested in contributing to runc. If I have a chance to try it, I'd like to take it.

utam0k avatar Mar 28 '22 11:03 utam0k

Removed from v1.2.0 milestone, but contribution is still welcome

AkihiroSuda avatar Jul 11 '22 09:07 AkihiroSuda

Sorry, I forgot about this issue. Can I try it already? If yes, please assign me 😍

utam0k avatar Jul 15 '22 01:07 utam0k

@utam0k Assigned

AkihiroSuda avatar Jul 15 '22 01:07 AkihiroSuda

@AkihiroSuda Thanks!

utam0k avatar Jul 15 '22 01:07 utam0k

  • [ ] seccompagent.go
  • [ ] seccomp_test.go
  • [ ] seccomp_linux.go
  • [ ] ecosys_linux.go
  • [ ] seccomp_internal.go

utam0k avatar Jul 15 '22 02:07 utam0k

@kolyshkin @AkihiroSuda Sorry for the delayed reply. I looked into gvisor.dev/gvisor/pkg/seccomp a little. I found some problems with using instead of libeseccomp-golang

  • Doesn't support seccomp notify
  • Only little endian systems are supported

WDYT? How can I process this issue?

utam0k avatar Aug 24 '22 11:08 utam0k

@utam0k

Thank you for taking a look at this. I think it is ok to fork the repo for implementing the missing features. Forking seems also almost necessary to get rid of the mega dependencies on gvisor.dev/gvisor/pkg/*: https://github.com/opencontainers/runc/issues/3388#issuecomment-1047392611

AkihiroSuda avatar Aug 24 '22 12:08 AkihiroSuda