seccompfilter: Use SCMP_ACT_KILL_PROCESS only on compatible kernels #234
Conversation
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
|
(The commit with the actual fix is not yet pushed to let the |
As intended: |
As before, this only uses SCMP_ACT_KILL_PROCESS for libseccomp versions which define it. Additionally, it is only used if at run time the kernel reports it as a supported action. For this SECCOMP_GET_ACTION_AVAIL must be available (supported from Linux 4.14 onward and backported to CentOS 7's kernel) and SECCOMP_RET_KILL_PROCESS (Linux 4.14+, but not in CentOS 7). Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
mbargull
force-pushed
the
conditional-SCMP_ACT_KILL_PROCESS
branch
from
ea29112 to
189e1ed
Compare
| LIBSECCOMP_COMMIT: v2.3.3 | ||
| LIBSLIRP_COMMIT: v4.1.0 |
There was a problem hiding this comment.
Since the VM setup takes approx. twice as much time as an actual build+test, I opted for a single CI job because it seemed more economical. (But it is also just in the realm of 2 min. setup + 1 min. for each run.)
| env: | ||
| LIBSECCOMP_COMMIT: v2.3.3 | ||
| LIBSLIRP_COMMIT: v4.1.0 | ||
| BENCHMARK_IPERF3_DURATION: 3 |
There was a problem hiding this comment.
It probably makes sense to not run the full 4 x 60 seconds benchmark in each CI job. I only reduced the time for the duration for the newly added VM-based job.
| LIBSLIRP_COMMIT: v4.2.0 | ||
| # Fails with --disable-dns from libslirp >=4.3.0 | ||
| # (no timeout in test-slirp4netns-disable-dns.sh). |
There was a problem hiding this comment.
I did not investigate this further, so can't tell if it's kernel or ncat version related, but with libslirp 4.3.1 the --disable-dns did not show the expected timeout.
There was a problem hiding this comment.
https://github.com/rootless-containers/slirp4netns/blob/v1.1.6/tests/test-slirp4netns-disable-dns.sh#L33-L35 does not get a timeout message to grep for (the ncat seems to succeed).
| touch ./build-and-test | ||
| chmod a+x ./build-and-test | ||
| ' | ||
|
|
||
| cat > ./build-and-test <<'EOS' |
There was a problem hiding this comment.
I have only included this static build-and-test script inline here because I wasn't sure if you'd prefer to have the Vagrantfile as self-contained as possible or if a separate script file would be okay/preferable.
| "${src_dir}/slirp4netns/configure" --prefix="${prefix}" | ||
| make -j "$( nproc )" | ||
|
|
||
| make ci 'CLANGTIDY=echo skipping:' 'CLANGFORMAT=echo skipping:' |
There was a problem hiding this comment.
I did not look into how to install clang-tidy/clang-format on CentOS and thus just "disabled" those targets by replacing the command with dummy echos.
tests/slirp4netns-no-unmount.sh
Outdated
| @@ -11,7 +11,7 @@ mkdir /run/foo | |||
| mount -t tmpfs tmpfs /run/foo | |||
| mount --make-rshared /run | |||
|
|
|||
| unshare -n sleep infinity & | |||
| unshare -r -n sleep infinity & | |||
There was a problem hiding this comment.
Without this the tests (also on Ubuntu) are prolonged by 40s due to the 2 x 40 x 0.5s waiting from wait_for_network_namespace and wait_for_network_device.
There was a problem hiding this comment.
This seems to need investigation. I don't think we should need -r here.
cc @giuseppe
There was a problem hiding this comment.
the user should already have enough privileges to run these tests, why does the new user namespace make a difference?
There was a problem hiding this comment.
I have no idea, unfortunately (not my area of expertise). I only noticed this while running the tests.
I reverted the associated commit for now.
@AkihiroSuda, @giuseppe can you open an issue to track this?
(Asking you because you can give more context than unknowledgeable me.)
| result="$(nsenter --preserve-credentials -U -n --target=$child ip a show dev tun11)" | ||
| echo "$result" | grep -om1 '^\s*inet .*/' | grep -qF 10.0.135.228 |
There was a problem hiding this comment.
The older ip on CentOS 7 does not support -json so I had to work around this to make this test runnable on CentOS 7. Please let me know if this needs further adjustment.
|
If there are any changes/cleanup/refactoring (within the actual |
|
Can we have 189e1ed as a separate PR? |
This reverts commit 0587bbf. Signed-off-by: Marcel Bargull <marcel.bargull@udo.edu>
|
Ah, sorry, I didn't notice the |
|
Oh, very sorry, for the mix up! |
Ah, yes, nevermind my previous comments then :). Thank you! |
Supersedes gh-232.
This also adds/changes the following:
--enable-seccomp.