Skip to content

[1.5] Support specs.LinuxSeccompFlagWaitKillableRecv#5183

Merged
lifubang merged 1 commit intoopencontainers:release-1.5from
kolyshkin:1.5-5172
Mar 25, 2026
Merged

[1.5] Support specs.LinuxSeccompFlagWaitKillableRecv#5183
lifubang merged 1 commit intoopencontainers:release-1.5from
kolyshkin:1.5-5172

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Mar 18, 2026

Backport of #5172 to release-1.5.

This adds support for WaitKillableRecv seccomp flag (also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel).

This requires:

  • libseccomp >= 2.6.0
  • libseccomp-golang >= 0.11.0
  • linux kernel >= 5.19

Note that this flag does not make sense without NEW_LISTENER, and the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set.

For runc this means that .linux.seccomp.listenerPath should also be set, and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This is why the flag is tested separately in seccomp-notify.bats.

At the moment the only adequate CI environment for this functionality is Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04) it is skipped similar to this:

ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6)

(cherry picked from commit 0079bee)

@kolyshkin kolyshkin added the backport/1.5-pr A backport PR to release-1.5 label Mar 18, 2026
@kolyshkin kolyshkin modified the milestones: 1.5.0, 1.5.0-rc.2 Mar 18, 2026
rata
rata approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Mar 18, 2026

Changelog entry placement fixed; backport PR added. @cyphar PTAL

@kolyshkin @lifubang
Support specs.LinuxSeccompFlagWaitKillableRecv
7dd372d 
This adds support for WaitKillableRecv seccomp flag
(also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and
as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel).

This requires:
 - libseccomp >= 2.6.0
 - libseccomp-golang >= 0.11.0
 - linux kernel >= 5.19

Note that this flag does not make sense without NEW_LISTENER, and
the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set.

For runc this means that .linux.seccomp.listenerPath should also be set,
and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This
is why the flag is tested separately in seccomp-notify.bats.

At the moment the only adequate CI environment for this functionality is
Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04)
it is skipped similar to this:

> ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0079bee)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@lifubang lifubang enabled auto-merge March 25, 2026 03:41
@lifubang lifubang merged commit 84c4850 into opencontainers:release-1.5 Mar 25, 2026
63 checks passed
@kolyshkin kolyshkin mentioned this pull request Apr 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rata rata rata approved these changes

@lifubang lifubang lifubang approved these changes

Assignees

No one assigned

Labels

area/seccomp backport/1.5-pr A backport PR to release-1.5

Projects

None yet

Milestone

1.5.0-rc.2

Development

Successfully merging this pull request may close these issues.

3 participants

@kolyshkin @rata @lifubang