Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV #3860

Open
AkihiroSuda opened this issue May 10, 2023 · 6 comments · May be fixed by #3862
Open

Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV #3860

AkihiroSuda opened this issue May 10, 2023 · 6 comments · May be fixed by #3862
Labels
area/seccomp

Comments

@AkihiroSuda
Copy link
Member

SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV was added in the Spec v1.1.0-rc.1:
@AkihiroSuda AkihiroSuda mentioned this issue May 10, 2023
Merged
utam0k added a commit to utam0k/runc that referenced this issue May 11, 2023
@utam0k
Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
99129aa 
Fix opencontainers#3860

Signed-off-by: utam0k <k0ma@utam0k.jp>
@utam0k utam0k linked a pull request May 11, 2023 that will close this issue
Draft
@kolyshkin
Copy link
Contributor

The commit seccomp/libseccomp#391 is not in the released version yet, and thus there's no support in libseccomp-golang either.

@fa-gb

This comment was marked as off-topic.

Sign in to view
@Zheaoli Zheaoli mentioned this issue Sep 27, 2023
Closed
@Zheaoli
Copy link
Contributor

Zheaoli commented Sep 27, 2023

I think maybe we have two issues to solve before supporting SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

  1. libsescomp need a stable release
  2. How to test the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV?

@Zheaoli
Copy link
Contributor

Zheaoli commented Sep 27, 2023

About the test, I may have some ideas.

  1. we may need a new binary for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in contrib/cmd/, like old seccompagent
  2. we can listen to UDS to reach the listener fd. And we should add a new signal handler for SIGUSR1
  3. In the bash test, we can run the runc binary with SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV like other secomp tests.
  4. We send a SIGUSR1 for the runc process. We can check if this process is in the D state.
  5. We send a SIGUSR1 to the new sescomp agent, the agent will make a response for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV. And the runc process would exits.
  6. We can check if the process exits correctly.

cc @utam0k

@AkihiroSuda
Copy link
Member Author

I guess we can have a CI job to run the test with the main branch of libseccomp.
Ideally we should wait for libseccomp v2.6 GA, but it doesn't seem planned soon.

@Zheaoli
Copy link
Contributor

Zheaoli commented Sep 27, 2023

Ideally we should wait for libseccomp v2.6 GA, but it doesn't seem planned soon.

Yeah.... I will submit a issue to ask for the release plan

@Zheaoli Zheaoli mentioned this issue Sep 28, 2023
Closed
@alban alban mentioned this issue Nov 30, 2023
Merged
@alban alban mentioned this issue Dec 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/seccomp
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV utam0k/runc
4 participants
@kolyshkin @Zheaoli @AkihiroSuda @fa-gb