Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp rejects redundant rules with "requested action matches default action of filter" #1847

Closed
alban opened this issue Jul 19, 2018 · 2 comments · Fixed by #3109
Closed

seccomp rejects redundant rules with "requested action matches default action of filter" #1847

alban opened this issue Jul 19, 2018 · 2 comments · Fixed by #3109

Comments

@alban
Copy link
Contributor

alban commented Jul 19, 2018
edited
Loading

I am testing a config.json with seccomp rules that defaults to "allow" and a syscall with the same action "allow".

		"seccomp": {
			"defaultAction": "SCMP_ACT_ALLOW",
			"architectures": [
				"SCMP_ARCH_X86_64",
				"SCMP_ARCH_X86",
				"SCMP_ARCH_X32"
			],
			"syscalls": [
				{
					"names": [
						"personality"
					],
					"action": "SCMP_ACT_ALLOW",
					"args": [
						{
							"index": 0,
							"value": 0,
							"op": "SCMP_CMP_EQ"
						},
						{
							"index": 0,
							"value": 8,
							"op": "SCMP_CMP_EQ"
						},
						{
							"index": 0,
							"value": 4294967295,
							"op": "SCMP_CMP_EQ"
						}
					]
				},
				{
					"names": [
						"clone"
					],
					"action": "SCMP_ACT_ALLOW",
					"args": [
						{
							"index": 0,
							"value": 2080505856,
							"op": "SCMP_CMP_MASKED_EQ"
						}
					]
				},
				{
					"names": [
						"getcwd"
					],
					"action": "SCMP_ACT_ERRNO"
				}
			]
		}

runc returns the error

error adding seccomp rule for syscall personality: requested action matches default action of filter

config.json could be programatically generated with this kind of redundant rules. Could runc accepts them instead and in this case drop the no-op rule about the personality syscall?

In the spec about actions, it says:

action (string, REQUIRED) - the action for seccomp rules

But it does not say the action has to be different to the default action.

If you think runc's behaviour is correct, I could file an issue on the spec instead to say that the action has to be different than the default action.

This issue was found with runtime-tools test linux_seccomp.go.
@alban alban mentioned this issue Jul 19, 2018
Closed
@mrunalp
Copy link
Contributor

mrunalp commented Oct 23, 2020

@alban I think that runc's (and libseccomp) behavior is correct in this place and should get the spec updated for this.
cc: @giuseppe

@cyphar cyphar mentioned this issue Jan 18, 2021
Closed
@haircommander haircommander mentioned this issue Jan 18, 2021
Closed
@kolyshkin
Copy link
Contributor

It seems that I just fixed it in #3109

@kolyshkin kolyshkin mentioned this issue Jul 22, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

seccomp: skip redundant rules kolyshkin/runc
3 participants
@alban @mrunalp @kolyshkin