Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV#3862
Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV#3862utam0k wants to merge 1 commit intoopencontainers:mainfrom
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV#3862Conversation
Fix opencontainers#3860 Signed-off-by: utam0k <k0ma@utam0k.jp>
|
crun: containers/crun#1008 |
|
Could you remove: Line 16 in 6beb3c6 |
|
I guess this needs to be
Once in, we can implement it in runc. |
I see. I will make this PR the draft PR once. |
|
A quick status update. For libseccomp, it looks like support for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV / SCMP_FLTATR_CTL_WAITKILL is added in seccomp/libseccomp#387 which has 2.6.0 milestone. Indeeed, the functionality is not in a released version as of time of writing this (Jan 2025). So this PR have to wait for:
|
This is now DONE!
This is being done in seccomp/libseccomp-golang#114 (there will be more PRs, and eventually a ne release). |
|
Moving to 1.4 because this doesn't seem ready and it seems like a feature, that we shouldn't merge at this point for 1.3. Don't hesitate to speak-up if you want this in 1.3 anyways. |
|
We still need libseccomp-golang release, which is more-or-less in review ATM |
|
What is the current status? |
| ['"SECCOMP_FILTER_FLAG_TSYNC"']=0 # Supported but ignored by runc, thus 0. | ||
| ['"SECCOMP_FILTER_FLAG_LOG"']=2 | ||
| ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4 | ||
| ['"SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"']=7 |
There was a problem hiding this comment.
the value here should be 32.
|
Status update: I was trying to revamp this and hit the wall: once the new flag is enabled, our example seccompagent stops working normally. Opened a draft PR #5172 , but someone who knows more about seccomp will need to take a look. |
|
Update: PR #5172 is ready for review, so we can close this one. |
5 participants
Fix #3860
I didn't find a good way to test
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV😭