Support specs.LinuxSeccompFlagWaitKillableRecv#5172
Support specs.LinuxSeccompFlagWaitKillableRecv#5172AkihiroSuda merged 1 commit intoopencontainers:mainfrom
Conversation
kolyshkin
force-pushed
the
seccomp-wait-kill
branch
3 times, most recently
from
25bdccb to
7eaa328
Compare
kolyshkin
force-pushed
the
seccomp-wait-kill
branch
from
7eaa328 to
0c3846f
Compare
|
On a cursory look, this sounds good. But I'm going afk soon and it's been a few years since I was working with this, I can take a closer look next week if no one else had :) |
rata
left a comment
rata
left a comment
There was a problem hiding this comment.
Thanks, I was checking the kernel commit to see if I didn't remember something, but all is good. LGTM, thanks! :)
This adds support for WaitKillableRecv seccomp flag (also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel). This requires: - libseccomp >= 2.6.0 - libseccomp-golang >= 0.11.0 - linux kernel >= 5.19 Note that this flag does not make sense without NEW_LISTENER, and the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set. For runc this means that .linux.seccomp.listenerPath should also be set, and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This is why the flag is tested separately in seccomp-notify.bats. At the moment the only adequate CI environment for this functionality is Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04) it is skipped similar to this: > ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
seccomp-wait-kill
branch
from
0c3846f to
0079bee
Compare
kolyshkin
added
the
backport/1.5-todo
kolyshkin
added
backport/1.5-done
| [debian-armhf]: https://wiki.debian.org/ArmHardFloatPort | ||
|
|
||
| ### Added ### | ||
| - Support for specs.LinuxSeccompFlagWaitKillableRecv. (#5172) |
There was a problem hiding this comment.
Ah, this is the flaw with putting changelog entries in a single file -- if you do a release then it might get merged in a way you don't expect.
Maybe we should create changelog entries in a directory that then get merged? I can also just get an LLM to spit out a dumb script to collate PR notes... 🤔
There was a problem hiding this comment.
Yes, this is what Go does -- they add a bunch of numbered .md files into git (under ./doc/next/), and right before the release those are concatenated into release notes (which leaves in a separate repository, x/website) and removed from golang/go git. You can see the beginning of go1.27 doc/next here: https://github.com/golang/go/tree/master/doc/next
There was a problem hiding this comment.
... and once they merge all the doc/next into the final release notes, they keep working on it (see https://github.com/golang/website/commits/master/_content/doc/go1.26.md). Sure, runc is a much smaller project but I guess adding a bunch of files and then merging them into a draft of release notes is a good approach.
4 participants
This adds support for WaitKillableRecv seccomp flag
(also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and
as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel).
This requires:
Note that this flag does not make sense without NEW_LISTENER, and
the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set.
For runc this means that .linux.seccomp.listenerPath should also be set,
and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This
is why the flag is tested separately in seccomp-notify.bats.
At the moment the only adequate CI environment for this functionality is
Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04)
it is skipped similar to this:
Closes: #3862.