Use seccomp library for adding seccomp configuration flags

[grantseltzer]

I added functionality to specify syscalls and their arguments for all actions. Also changed default action and archs flags to ociseccompgen library.

Now we can do things like:

ocitools generate --seccomp-errno clone,write --seccomp-trace getcwd --seccomp-trap umount:0:1:2:NE

The behavior mimics that of: https://github.com/GrantSeltzer/Manhattan

Also updated man page to reflect this change.

Signed-off-by: Grantseltzer grantseltzer@gmail.com

[grantseltzer]

Failing for a different reason, fixing right now.
@mrunalp :D 👍

[wking]

Why are we removing the pointer here?

[wking]

They just landed via #138.

[grantseltzer]

Hmmm, Must have accidentally cut it when making the new branch. Thanks for the call out.

[grantseltzer]

@wking Fixed

[wking]

dfe2722 → cfb6d90 talks about rebasing, and pulls in some recent
master changes like #170, but doesn't seem to have actually rebased
anything.

$ git log --graph --oneline --decorate origin/pr/159 | head -n4

• cfb6d90 (origin/pr/159) Rebase and clean up seccomp generate api
• dfe2722 Change generator receivers to pointers, other fixes
• 22752db Use seccomp library for adding seccomp configuration flags
• 3c2125c Merge pull request generate: fix tmpfs adding based on manpage #155 from Mashimiao/generate-fix-tmpfs-adding

You probably intended to rebase onto the current master.

[grantseltzer]

@wking Cleaning up now

[wking]

On Tue, Aug 02, 2016 at 12:55:58PM -0700, Grant Seltzer Richman wrote:

@wking Cleaning up now

cfb6d90 → a9b3569 looks like it rebases onto master and then merges
your old tip:

$ git glog a9b3569 | head -n7

• a9b3569 (origin/pr/159) Fix rebase
  |\
  | * cfb6d90 Rebase and clean up seccomp generate api
  | * dfe2722 Change generator receivers to pointers, other fixes
  | * 22752db Use seccomp library for adding seccomp configuration flags
• | a116901 Use seccomp library for adding seccomp configuration flags
• | 9d3881d (origin/master) Merge pull request update urfave/cli package #174 from hmeng-19/update_cli

The difference between a116901 and a9b3569 is that the latter removes
duplicate entries for setupLinuxNamespaces, parseIDMapping, etc. I
expect you:

1. Rebased cfb6d90 onto master to create a116901.
2. Tried to push a116901 to your public add-seccomp-cli-features, but
   Git warned you that it wasn't a fast-forward and suggested you merge.
3. Merged your old tip (cfb6d90) to get a9b3569.
4. Tried to push again (which succeeded).

What you probably wanted to do instead was use a --force push in (2)
to say “I know this isn't a fast forward, and I'm ok with that.
Please update the remote branch anyway”.

So I think you want to recover with something like:

$ git checkout add-seccomp-cli-features
$ git reset --hard a116901
$ git checkout a9b3569 -- cmd/ocitools/generate.go
$ git commit --amend --no-edit cmd/ocitools/generate.go
$ git push --force GrantSeltzer add-seccomp-cli-features

[grantseltzer]

@wking Wow thank you very much, My git skills have much improving to be done, I appreciate your help!

(Looking into build error right now)

[mrunalp]

pass context first

[grantseltzer]

@mrunalp PTAL

[mrunalp]

need to run gofmt on this file?

[grantseltzer]

👍

[mrunalp]

I think this looks fine overall. @hmeng-19 Could you test/review as well?

[haiyanmeng]

@grantseltzer , man/ocitools-generate.1.md also needs to be updated to reflect the new options.

[haiyanmeng]

@grantseltzer , it is not a real problem. But I believe you want to err := ....

[grantseltzer]

Just curious, what difference does it make in this context? Both appear to work

[haiyanmeng]

This works when you declare err before using var err error or err := .....
I pointed out because all the other for loops in this function seem to declare its own err.

[mrunalp]

For consistency, let's change this to err :=

[grantseltzer]

Sure

[rhatdan]

Ok that works for me.

[grantseltzer]

@mrunalp @rhatdan @wking

Would it be preferred to have the default white list be a part of the default ocitools generate or should a flag be specified to add it?

It makes sense to have it be included by default since other options work this way, the list is 4000+ lines though.

[mrunalp]

Should be part of default

Sent from my iPhone

On Aug 23, 2016, at 8:35 AM, Grant Seltzer Richman notifications@github.com wrote:

@mrunalp @rhatdan @wking

Would it be preferred to have the default white list be a part of the default ocitools generate or should a flag be specified to add it?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[rhatdan]

Part of default.

[grantseltzer]

A default seccomp config is now a part of the output of ocitools generate, including detection of the system architecture.

The --seccomp-* flags edit on top of that

[mrunalp]

I just tried this out and the runtime tests fail:

-----------------------------------------------------------------------------------
VALIDATING RUNTIME: runc
-----------------------------------------------------------------------------------
runtime: failed to create new OS thread (have 2 already; errno=1)
fatal error: newosproc

runtime stack:
runtime.throw(0x57c714, 0x9)
        /usr/lib/golang/src/runtime/panic.go:566 +0x95
runtime.newosproc(0xc420028000, 0xc420037fc0)
        /usr/lib/golang/src/runtime/os_linux.go:160 +0x194
runtime.newm(0x5907f8, 0x0)
        /usr/lib/golang/src/runtime/proc.go:1572 +0x132
runtime.main.func1()
        /usr/lib/golang/src/runtime/proc.go:126 +0x36
runtime.systemstack(0x63bb00)
        /usr/lib/golang/src/runtime/asm_amd64.s:298 +0x79
runtime.mstart()
        /usr/lib/golang/src/runtime/proc.go:1079

goroutine 1 [running]:
runtime.systemstack_switch()
        /usr/lib/golang/src/runtime/asm_amd64.s:252 fp=0xc420022768 sp=0xc420022760
runtime.main()
        /usr/lib/golang/src/runtime/proc.go:127 +0x6c fp=0xc4200227c0 sp=0xc420022768
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:2086 +0x1 fp=0xc4200227c8 sp=0xc4200227c0
Runtime runc failed validation

[grantseltzer]

Which test is that? I can't reproduce that. I think what could be happening is there's a system call not in the white-list that is falling under the default action to errno

[grantseltzer]

I've added the syscalls to the default whitelist based on allowed capabilities, pretty sure that was the issue.

[grantseltzer]

@mrunalp PTAL

[mrunalp]

nit: space after //

[mrunalp]

From my testing:

 oci-runtime-tool generate --output config.json --tty --seccomp-errno getcwd 

I still see the default seccomp options with getcwd being allowed.

[mrunalp]

Next I tried to use a template with no syscalls set.

[root@dhcp-16-129 busybox]# oci-runtime-tool generate --output config.json --tty --seccomp-errno getcwd --template template.json                                                                                                                              
[root@dhcp-16-129 busybox]# vim config.json 
[root@dhcp-16-129 busybox]# tail -n 20 config.json 
                        {
                                "type": "ipc"
                        },
                        {
                                "type": "uts"
                        },
                        {
                                "type": "mount"
                        }
                ],
                "seccomp": {
                        "defaultAction": "SCMP_ACT_ERRNO",
                        "architectures": [
                                "SCMP_ARCH_X86_64",
                                "SCMP_ARCH_X86",
                                "SCMP_ARCH_X32"
                        ]
                }
        }

[grantseltzer]

For anyone else involved, based on my discussion with @mrunalp

There's a check that will error out if a syscall rule is specified that has the same action as the defaultAction (I've added an error message instead of it failing silently).

I'm going to be adding a seccomp-syscall-remove flag for the edge case of a rule for a system call existing already but we want to change it to the default (For example, if getcwd is set to allow, and the defaultAction is errno, and we want to change getcwd to errno). I'm also adding a flag to remove all syscall rules.

The other edge case that needed to be addressed is when a new default action is specified but there are already system calls that match it. This should cause an error and to report the system calls that have this matching action.

[mrunalp]

@grantseltzer For changing the default action, we should add a force flag in the API, so it clears syscalls that match the new action.

[grantseltzer]

@mrunalp Right, got it.

[grantseltzer]

The build keeps failing for what seems to be a CI issue, I'm not sure if something can be reset or this issue will just go away on its own tomorrow. Fixed: golint doesn't support Go 1.5 anymore, upgraded to 1.6

Regardless, I've added flags for removing specific syscall rules or just all of them. I've also added a force option for setting the default action without it deleting rules that already have the same action set.

[mrunalp]

LGTM
@Mashimiao @liangchenye @wking If you want to give it a look.

[Mashimiao]

I think the options should be in sorted list as #204 does. So we don't need to do it again.

[grantseltzer]

I went ahead and reordered it. While not in strict alphabetical order, I separated it logically so that the syscall action flags were together (and alphabetical), the default flags together, etc...

I think the way it is now makes the most sense.

[Mashimiao]

Personal opinion, separating them logically does not make too much sense. As seccomp related options all start with seccomp-*, easily to see they are in one group and find the needed one.
I think Following one standard(alphabetical order) makes more sense.
@wking @mrunalp @liangchenye any comments?

[grantseltzer]

Sure, I can concede that. Will fix now Fixed

[Mashimiao]

need rebased

[grantseltzer]

Woops, Thanks for catching that!

[Mashimiao]

@grantseltzer can you add new options to completions/bash/oci-runtime-tool.
If you are not familiar with that, I can add them at #167
And sorry for need another rebase.

[grantseltzer]

Sure no problem

@Mashimiao All fixed up, that reminded me to update the man page as well.

On Oct 12, 2016 10:06 PM, "Ma Shimiao" notifications@github.com wrote:

@grantseltzer https://github.com/GrantSeltzer can you add new options
to completions/bash/oci-runtime-tool.
If you are not familiar with that, I can add them at #167
#167
And sorry for need another rebase.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#159 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKWrhbjHv1gLpj7QKdYJDbGhTqaHA4b6ks5qzZIkgaJpZM4JWwml
.

[mrunalp]

@Mashimiao Does this look fine to you now?

[Mashimiao]

Though there are some minimal issues(like part of new options not in alpha order in man), almost looks good.

[grantseltzer]

@Mashimiao Just fixed the man page order

[Mashimiao]

Thanks.
60473d2 looks good to me.

[mrunalp]

LGTM

[grantseltzer]

Thanks for the merge!

On Oct 17, 2016 1:43 PM, "Mrunal Patel" notifications@github.com wrote:

Merged #159 #159.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#159 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKWrhe4lMMAmZvMrB3XWUl-V_fc1IpfSks5q07OygaJpZM4JWwml
.