runc icon indicating copy to clipboard operation
runc copied to clipboard
verified publisher icon opencontainers

Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

Open AkihiroSuda opened this issue 2 years ago • 6 comments

SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV was added in the Spec v1.1.0-rc.1:

  • https://github.com/opencontainers/runtime-spec/pull/1161

AkihiroSuda avatar May 10 '23 13:05 AkihiroSuda

The commit https://github.com/seccomp/libseccomp/pull/391 is not in the released version yet, and thus there's no support in libseccomp-golang either.

kolyshkin avatar May 11 '23 22:05 kolyshkin

image

fa-gb avatar May 12 '23 11:05 fa-gb

I think maybe we have two issues to solve before supporting SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

  1. libsescomp need a stable release
  2. How to test the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV?

Zheaoli avatar Sep 27 '23 03:09 Zheaoli

About the test, I may have some ideas.

  1. we may need a new binary for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in contrib/cmd/, like old seccompagent
  2. we can listen to UDS to reach the listener fd. And we should add a new signal handler for SIGUSR1
  3. In the bash test, we can run the runc binary with SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV like other secomp tests.
  4. We send a SIGUSR1 for the runc process. We can check if this process is in the D state.
  5. We send a SIGUSR1 to the new sescomp agent, the agent will make a response for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV. And the runc process would exits.
  6. We can check if the process exits correctly.

cc @utam0k

Zheaoli avatar Sep 27 '23 14:09 Zheaoli

I guess we can have a CI job to run the test with the main branch of libseccomp. Ideally we should wait for libseccomp v2.6 GA, but it doesn't seem planned soon.

AkihiroSuda avatar Sep 27 '23 14:09 AkihiroSuda

Ideally we should wait for libseccomp v2.6 GA, but it doesn't seem planned soon.

Yeah.... I will submit a issue to ask for the release plan

Zheaoli avatar Sep 27 '23 14:09 Zheaoli