Default seccomp whitelist is insufficient on ARM #3629

RobinMcCorkell · 2017-04-05T17:35:09Z

Environment

rkt Version: 1.25.0
appc Version: 0.8.10
Go Version: go1.8
Go OS/Arch: linux/arm
Features: -TPM +SDJOURNAL
--
Linux 4.9.17-1-ARCH armv7l
--
NAME="Arch Linux ARM"
ID=archarm
ID_LIKE=arch
PRETTY_NAME="Arch Linux ARM"
ANSI_COLOR="0;36"
HOME_URL="http://archlinuxarm.org/"
SUPPORT_URL="https://archlinuxarm.org/forum"
BUG_REPORT_URL="https://github.com/archlinuxarm/PKGBUILDs/issues"
--
systemd 232
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

What did you do?

Attempt to run nearly any binary on an ARMv7l architecture through rkt. Oddly the Go "Hello World" binary works fine, but even a simple int main() { return 0; } compiled statically with gcc hits this problem.

What did you expect to see?

Successful execution of the executable.

What did you see instead?

Executable is killed with SIGSYS, due to calling an ARM-specific syscall that isn't whitelisted in the default seccomp profile.

The Docker seccomp profile includes support for ARM and AArch64 devices, it specifically whitelists these syscalls:

"arm_fadvise64_64",
"arm_sync_file_range",
"sync_file_range2",
"breakpoint",
"cacheflush",
"set_tls"

Running strace on a simple ARM binary shows set_tls is called, hence the SIGSYS under rkt.

It would be great to see rkt working fully on ARM, I know it's not officially supported at the moment but I can hope 😄

The text was updated successfully, but these errors were encountered:

trusch · 2017-04-08T17:55:00Z

+1 on this. I'm fairly new to rkts codebase, but I'll have a look, perhaps it's just extending an existing array.

trusch · 2017-04-10T10:38:16Z

I think this should be whitelisted in stage1/init/common/seccomp_wildcards.go. Indeed the needed syscalls are not listed there. I think you could use --insecure-options=seccomp for now as a workaround.

@lucab Do you see any problems about this whitelist being extended per default, or do you think that this should be dynamically added when running on ARM? I would open a PR for this if you want. @Xenopathic Do you have any other reference about what syscalls are especially needed for ARM devices?

lucab · 2017-04-10T11:23:35Z

Do you see any problems about this whitelist being extended per default, or do you think that this should be dynamically added when running on ARM?

I would expect these to be added only when running on matching architectures, as some of those syscalls don't exist on other arch (e.g. arm_fadvise64_64).

trusch · 2017-04-10T11:43:56Z

@Xenopathic I can not reproduce your issue:

main.c:

#include <stdio.h>
int main(){
  printf("hello world\n");
  return 0;
}

Makefile:

all: hello-static-armv7l.aci
hello.static.armv7l: main.c
	arm-linux-gnueabihf-gcc -o hello.static.armv7l -static main.c
hello-static-armv7l.aci: hello.static.armv7l
	bash build-aci.sh hello.static.armv7l armv7l static
clean:
	-rm -f hello*

build-aci.sh:

#!/bin/bash

BIN=$1
ARCH=$2
TYPE=$3

acbuild --debug begin

# In the event of the script exiting, end the build
trap "{ export EXT=$?; acbuild --debug end && exit $EXT; }" EXIT

acbuild --debug set-name trusch.io/hello
acbuild --debug label add arch $ARCH
acbuild --debug copy $BIN /hello
acbuild --debug set-exec -- /hello
acbuild --debug write --overwrite hello-${TYPE}-${ARCH}.aci
gpg --sign --detach --armor --yes hello-${TYPE}-${ARCH}.aci

exit $?

Environment:

rkt Version: 1.25.0+git5f4e77e4
appc Version: 0.8.10
Go Version: go1.8
Go OS/Arch: linux/arm
Features: +TPM +SDJOURNAL
--
Linux 4.4.38 armv7l
--
NAME=Buildroot
VERSION=2017.05-git-gece884a
ID=buildroot
VERSION_ID=2017.05-git
PRETTY_NAME="Buildroot 2017.05-git"
--
systemd 232
-PAM -AUDIT -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS -ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN

Output:

root@imx6:~# rkt run hello-static-armv7l.aci
image: signature verified:
  Tino Rusch <tino.rusch@gmail.com>
[ 5616.557952] hello[5]: hello world

Can you provide detailed information on how to reproduce this?

RobinMcCorkell · 2017-04-10T11:57:39Z

-SECCOMP

Looks like your systemd is compiled without seccomp enforcement, which if you are using host flavour stage1 (or whatever stage1 you are using uses systemd with -SECCOMP) then you won't trigger the issue.

trusch · 2017-04-10T12:02:50Z

Ah ok, my fault. I only have some devices here, and no one with arch linux. I'll build a new systemd for my current testbed.

8000

This enables us to run binaries which use these syscalls when systemd has seccomp enforcing enabled. Like reported this should affect at least all gcc compiled binaries. This solves issue rkt#3629.

trusch mentioned this issue Apr 10, 2017

seccomp: add arch-specific syscalls on ARM #3636

Merged

lucab closed this as completed in #3636 May 10, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Default seccomp whitelist is insufficient on ARM #3629

Default seccomp whitelist is insufficient on ARM #362 8000 9

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Default seccomp whitelist is insufficient on ARM #3629

Default seccomp whitelist is insufficient on ARM #362 8000 9

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!