seccomp: refactor flags support; add flags to features, set SPEC_ALLOW by default #3588
Conversation
kolyshkin
requested review from
AkihiroSuda and
cyphar
and removed request for
AkihiroSuda
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
from
7548ef4
to
924ce7a
Compare
|
@kolyshkin thanks for the cc! I'll be on and off for a few weeks. Is this something we want for the next runc release and I should try to prioritize its review? Or can it wait a few weeks maybe? |
It is done here: The man page says:
Does it mean it is less secure with this flag? |
It sort of is -- meaning, if someone will find a way to use seccomp ebpf program to exploit the hardware SSB issue. Practically, this seems highly unlikely, since the seccomp ebpf code is generated by libseccomp. IOW a user do not have direct control over ebpf code being loaded into the kernel, they can only influence is via the seccomp rules, which makes it much harder to exploit the vulnerability. |
|
Also, it seems that in kernel v5.16 this (disabling the mitigations for seccomp) is the default (according to https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/seccomp&id=2f46993d83ff4abb310ef7b4beced56ba96f0d9d, which made its way into v5.16). By the way, the commit mistakenly claims runc sets this flag by default -- it does not (until this PR is merged, that is). |
There was a problem hiding this comment.
@kolyshkin Thanks, on a cursory look, it LGTM.
I have not tried hard to see if more code simplifications are possible. But the PR seems reasonable to me :)
Left some coments, but cosmetical
| @@ -665,6 +665,9 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags | |||
| } | |||
|
|
|||
| func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err error) { | |||
| // This debug output is validated in tests/integration/seccomp.bats | |||
| // by the SECCOMP_FILTER_FLAG_* test. | |||
| logrus.Debugf("seccomp filter flags: %d", flags) | |||
There was a problem hiding this comment.
Any reason to not use %v? I find it more clear to use %v unless you want something else. Isn't %v printing the same here?
There was a problem hiding this comment.
So, %d says "print argument as an integer", and %v means "print argument using the default formatting for its type". Since the type is integer, in this case %v will result in the same output as %d. The only difference (I guess but not entirely sure), is %v incurs slightly more runtime overhead, and the only benefit of using %v here would be that we won't have to change it if we change the flags type.
Since this is clearly an integer, I don't see why we shouldn't use %d. Personally, I find it more clear, as I can see we're printing an integer without looking at the flags type.
So I have to ask the same question to you -- why not use %d?
There was a problem hiding this comment.
OK, it seems that you have ignored the description and reviewed the first two commits, which are actually from #3580 and were merged in there.
There was a problem hiding this comment.
Oh, yes, I missed the description. Sorry!
I see reasons to one or the other, I personally prefer the other and was wondering if this was on purpose. SGTM if you prefer it :)
| } | ||
|
|
||
| func (e *unknownFlagError) Error() string { | ||
| return "seccomp flag " + string(e.flag) + " is not known to runc" |
There was a problem hiding this comment.
not known? Not supported seems a more standard way to say this to the user
There was a problem hiding this comment.
I think I copy-pasted that from the earlier code. And yes, I agree that "not supported" seems more common language, OTOH "more known" is more specific in this particular case.
"Not supported" is sort of generic, and can mean multiple things, such as the support for this feature or flags is
- not yet added;
- dropped;
- not compiled it;
- is impossible because of the current hardware or the kernel;
and so on.
"Not known" is more specific, meaning this runc version is not aware that such flag exists (so, if it is exists, this is a clear hint that the runc version used is too old).
There was a problem hiding this comment.
So, if you take a look at the code adding flags to runc features, you'll see there are "known" and "supported" set of flags (with supported being a subset of known). This is why I'm using the word "known" here.
tests/integration/seccomp.bats
Outdated
| declare -A FLAGS=( | ||
| ['REMOVE']=0 # No setting, use built-in default. | ||
| ['EMPTY']=0 # Empty set of flags. | ||
| ['"SECCOMP_FILTER_FLAG_LOG"']=2 | ||
| ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4 | ||
| ['"SECCOMP_FILTER_FLAG_TSYNC"']=0 # tsync flag is ignored. | ||
| ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=6 | ||
| ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_TSYNC"']=2 | ||
| ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=4 | ||
| ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=6 |
There was a problem hiding this comment.
A comment explaining where you got these values seems useful for future collaborators.
Also, the tsync ignored comment can either be in all instances of tsync being used or a more visible comment on the top, maybe?
There was a problem hiding this comment.
I wanted to rework this test so that I won't have to add all the combinations manually. Guess this is what I'll do now :)
There was a problem hiding this comment.
Reworked the test (see the last commit). Beware: hardcode bash.
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
from
924ce7a
to
8f9d08a
Compare
tests/integration/seccomp.bats
Outdated
| # Filter out flags not supported by the current seccomp/kernel, | ||
| # so this test can be run on older systems. |
There was a problem hiding this comment.
I'm sure I'm missing something, but why hardcode the vars in the flags array and then ignore the not supported ones? Wouldn't be the same to just test all the supported ones? (and we don't harcode any flag here)
I see we might get unlucky in the CI and maybe some flag is never tested, and that is interesting to know. But we are not detecting that here either, right? Maybe that can be a different test for that (well, not sure it is easy to detect that... and seems unlikely)?
But I'm sure I'm missing something obvious. My brain is off today. Sorry if this is indeed noise :)
There was a problem hiding this comment.
Since this test is actually checking that the flags are set as expected (the check was added by commit 26dc55e after we found out in #3580 that SPEC_ALLOW is just ignored), we need to know their numeric values.
Surely, we can just get the list of supported flags (which we should test) from runc features, but then again we still need their values.
Let me see if I can refactor the code to simplify it more (use supported flags as received from runc directly, and only use the hardcoded ones for numeric values).
There was a problem hiding this comment.
Oh, and wouldn't make sense for runc features to also print the numeric values (if we can easily parse it here, not worth the pain if this is hard)?
But the code is okay as it is now too from my POV :)
There was a problem hiding this comment.
Oh, and wouldn't make sense for runc features to also print the numeric values (if we can easily parse it here, not worth the pain if this is hard)?
Well, no one ever needs the numeric values (except for this test), and runc features target audience is runc users, not our tests.
Thus we have to hardcode it (unfortunately there is no easy way to see if a seccomp flag is set or not, so the test have to rely on debug output and compare the numbers).
There was a problem hiding this comment.
Ohh, ok. I thought it might have been present on some errors as hex or something maybe. But makes sense, in any case it is not so useful either
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
3 times, most recently
from
560aa07
to
57dc492
Compare
Seems I've used a feature of bash which is relatively new. Rewrote without using |
types/features/features.go
Outdated
| // Nil value means "unknown", not "no support for any flag". | ||
| KnownFlags []string `json:"known_flags,omitempty"` | ||
|
|
||
| // Flags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". |
There was a problem hiding this comment.
Doesn't match the variable name
There was a problem hiding this comment.
How is "supported" different from "recognized"?
Having two concepts doesn't seem consistent with other properties in this JSON
There was a problem hiding this comment.
Doesn't match the variable name
oops, fixed
There was a problem hiding this comment.
In this context "recognized" or "known" means runc is aware of the flag.
OTOH "supported" means this flag is not merely known to (recognized by) runc, but is also supported by the currently used libseccomp and the running kernel.
If you don't like such distinction, we can only print one set -- choose which one makes more sense. To me, "supported" makes more sense than "known" because, despite the flag being known, one can't use it anyway. The downside is one can't know if more flags would be supported after e.g. a kernel or libseccomp upgrade.
There was a problem hiding this comment.
@AkihiroSuda PTAL 🙏🏻
There was a problem hiding this comment.
@AkihiroSuda let me add some more context here.
All the "features" that we have in runc features are "known features", meaning they are recognized by this runc build. Some of those (like mount flags, for example) can not be used because the kernel version is too old, some library version is old, or a binary is missing. So, the feature is known but not supported.
For the sake of the seccomp flags test case, I need to have seccomp flags that are supported by the current runtime (meaning runc + libraries + kernel), so I added a distinction between "known" and "supported" flags.
I guess that the use case for this (distinguishing between known and supported flags) can also be used by the upper level (container orchestration) to query the runtime platform capabilities. Say, some mount attributes (like "rro") might be known but not supported due to older kernel.
I agree that this distinction doesn't really fit into current output of runc features, since we print known (rather than supported) features and flags.
Do you have any idea how to add such a distinction (between known and supported), if we ever want to add it? Something like runc features --supported (and maybe --known for the sake of completeness?).
It is really hard to write a seccomp flags test (in bash, that is) without relying on runc features to print the list of supported seccomp flags, but I guess this is a separate issue. Perhaps I can rewrite the test in Go (and make it the first runc integration test written in Go).
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
from
57dc492
to
f89f2df
Compare
|
@mrunalp addressed your review comments |
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
from
f510e5f
to
80639c4
Compare
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
2 times, most recently
from
485b562
to
a0aa305
Compare
Fix a few copy-paste errors. Fixes: 520702d Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Amend runc features to print seccomp flags. Two set of flags are added: * known flags are those that this version of runc is aware of; * supported flags are those that can be set; normally, this is the same set as known flags, but due to older version of kernel and/or libseccomp, some known flags might be unsupported. This commit also consolidates three different switch statements dealing with flags into one, in func setFlag. A note is added to this function telling what else to look for when adding new flags. Unfortunately, it also adds a list of known flags, that should be kept in sync with the switch statement. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
If no seccomps flags are set in OCI runtime spec (not even the empty set), set SPEC_ALLOW as the default (if it's supported). Otherwise, use the flags as they are set (that includes no flags for empty seccomp.Flags array). This mimics the crun behavior, and makes runc seccomp performance on par with crun. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This test (initially added by commit 58ea21d and later amended in commit 26dc55e) currently has two major deficiencies: 1. All possible flag combinations, and their respective numeric values, have to be explicitly listed. Currently we support 3 flags, so there is only 2^3 - 1 = 7 combinations, but adding more flags will become increasingly difficult (for example, 5 flags will result in 31 combinations). 2. The test requires kernel 4.17 (for SECCOMP_FILTER_FLAG_SPEC_ALLOW), and not doing any tests when running on an older kernel. This, too, will make it more difficult to add extra flags in the future. Both issues can be solved by using runc features which now prints all known and supported runc flags. We still have to hardcode the numeric values of all flags, but most of the other work is coded now. In particular: * The test only uses supported flags, meaning it can be used with older kernels, removing the limitation (2) above. * The test calculates the powerset (all possible combinations) of flags and their numeric values. This makes it easier to add more flags, removing the limitation (1) above. * The test will fail (in flags_value) if any new flags will be added to runc but the test itself is not amended. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
seccomp-flags-rework
branch
from
a0aa305
to
19a9d9f
Compare
|
@opencontainers/runc-maintainers anything I can do to move this forward? |
|
Can't click the merge button until getting one more LGTM 😞 Opened a proposal to uncheck the |
|
LGTM ! |
|
Is there any thoughts around backporting this change to runc 1.1? The change in ac04154 is especially important in context of k8s graduating secomp to default in 1.27 (kubernetes/enhancements#3718). The change in ac04154 is critical for performance as otherwise there is very significant perf degradation with seccomp enabled. The only alternative is for users to use 5.16 kernel (which is not a long term release; only 5.15 is) or alternatively tune their kernel flags. |
|
/cc @saschagrunert |
|
@bobbypage I'll be fine with it. Although, I'd prefer if we can make a smaller change to just enable SPEC_ALLOW by default (that is what you need, right?) and have the rest of this patch land in runc 1.2. That can be potentially way simpler (i hope :)). I've not tried to see if it is easy to create a backport a simpler patch just for the SPEC_ALLOW by default case, though. Any maintainers has thoughts on this? |
Currently a draft pending #3580 merge. When reviewing as a draft, please skip the first 2 commits (they are from #3580).This PR reworks seccomp flags support:
KnownFlags(),SupportedFlags()andFlagSupported()to seccomp pkg;runc features;SPEC_ALLOW, if supported (crun does that).TODO: fix the seccomp flags test to use runc features and not depend on kernel version (maybe in a separate PR).