seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM #42680

berrange · 2021-07-27T09:24:28Z

Description
I have a docker built with seccomp running on Fedora 34 host. Attempting to run commands inside a container with the registry.fedoraproject.org/fedora:rawhide image results in programs failing to fork processes.

eg

$ docker run -it registry.fedoraproject.org/fedora:rawhide  curl google.com
curl: (6) getaddrinfo() thread failed to start

Tracing the container "curl" process I can see

clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f000ec6d910, parent_tid=0x7f000ec6d910, exit_signal=0, stack=0x7f000e46d000, stack_size=0x7ffe00, tls=0x7f000ec6d640}, 88) = -1 EPERM (Operation not permitted)

The latest glibc now attempts to use 'clone3' by default. For backwards compatibility it will look for ENOSYS errno and fallback to "clone". The EPERM errno meanwhile is treated as a fatal error.

The default seccomp filter installed by docker is causing EPERM and so this breaks the glibc fallback.

Explicitly passing the default seccomp profile config makes it work, despite not allowing clone3

$ wget https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json -O profile.json
$ docker run --security-opt seccomp=profile2.json -it registry.fedoraproject.org/fedora:rawhide  curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
..snip...

Tracing again shows clone3 now returns ENOSYS

clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f098bf8a910, parent_tid=0x7f098bf8a910, exit_signal=0, stack=0x7f098b78a000, stack_size=0x7ffe00, tls=0x7f098bf8a640}, 88) = -1 ENOSYS (Function not implemented)

I expect this difference in behaviour is as a result of the heuristics implemented for choosing EPERM vs ENOSYS in runc with opencontainers/runc@7a8d716

Also it is impossible to run docker build

$ cat test.dkr 
FROM registry.fedoraproject.org/fedora:rawhide

RUN curl google.com

$ docker build -f test.dkr  .
Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM registry.fedoraproject.org/fedora:rawhide
 ---> 887689ee223e
Step 2/2 : RUN curl google.com
 ---> Running in a370ae01f27e
curl: (6) getaddrinfo() thread failed to start
The command '/bin/sh -c curl google.com' returned a non-zero code: 6

and seccomp can't be overriden to make it work

$ docker build --security-opt seccomp=~/profile2.json -f test.dkr  .
Sending build context to Docker daemon  2.048kB
Error response from daemon: The daemon on this platform does not support setting security options on build

Steps to reproduce the issue:

Install docker 20.10.7, with seccomp enabled in biuld
docker run -it registry.fedoraproject.org/fedora:rawhide curl google.com

Describe the results you received:
curl: (6) getaddrinfo() thread failed to start

Describe the results you expected:
Dump of google.com

Output of docker version:

Client:
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.16.6
 Git commit:        f0df350
 Built:             Mon Jul 26 16:34:29 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.6
  Git commit:       b0f5bc3
  Built:            Thu Jul 22 00:00:00 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.3
  GitCommit:        
 runc:
  Version:          1.0.1
  GitCommit:        4fc6f22
 docker-init:
  Version:          0.19.0
  GitCommit:

Output of docker info:

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 78
  Running: 1
  Paused: 0
  Stopped: 77
 Images: 3
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: /usr/libexec/docker/docker-init
 containerd version: 
 runc version: 4fc6f22
 init version: 
 Security Options:
  seccomp
   Profile: default
  selinux
  cgroupns
 Kernel Version: 5.14.0-0.rc2.20210721git8cae8cd89f05.24.fc35.x86_64
 Operating System: Fedora Linux 35 (Server Edition Prerelease)
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 7.438GiB
 Name: fedora
 ID: GQBM:HCKW:MKVM:Y5RK:HXPA:ZCCY:EXPA:FQBS:S4ZN:HRL5:5PSZ:KK7B
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

Additional environment details (AWS, VirtualBox, physical, etc.):
Virtual machine running Fedora 35 VM. Also seen in GitLab CI when using 'docker:dind' for builds

The text was updated successfully, but these errors were encountered:

If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: opencontainers/runc@7a8d716 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: moby#42680 Signed-off-by: Daniel P. Berrangé <[email protected]>

If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: opencontainers/runc@7a8d716 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: moby/moby#42680 Signed-off-by: Daniel P. Berrangé <[email protected]> Upstream-commit: 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594 Component: engine

Current Docker version on Ubuntu 20.04 used by GH Actions suffers from an incompatibility with newer glibc [0] used by Fedora Rawhide, causing Rawhide containers in CI to fail with: ``` Errors during downloading metadata for repository 'fedora-cisco-openh264': - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-rawhide&arch=x86_64 [getaddrinfo() thread failed to start] ``` glibc 2.34 and later tries to use the clone3 syscall (for hardware-assisted security hardening on x86_64), and falls back to clone2 on ENOSYS. However, with the current seccomp profile Docker returns EPERM instead, which is considered a "hard" fail. A fix [1] has been merged in upstream, but until then let's run the CI Docker containers without any seccomp profiles to allow Rawhide jobs to to their job. (I tried to disable seccomp only for the Rawhide jobs, but I couldn't procure any solution which wouldn't make my eyes bleed...) [0] moby/moby#42680 [1] moby/moby#42681

If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the config it attempts to determine a default errno, using logic defined in its commit: opencontainers/runc@7a8d716 As explained in the above commit message, runc uses a heuristic to decide which errno to return by default: [quote] The solution applied here is to prepend a "stub" filter which returns -ENOSYS if the requested syscall has a larger syscall number than any syscall mentioned in the filter. The reason for this specific rule is that syscall numbers are (roughly) allocated sequentially and thus newer syscalls will (usually) have a larger syscall number -- thus causing our filters to produce -ENOSYS if the filter was written before the syscall existed. [/quote] Unfortunately clone3 appears to one of the edge cases that does not result in use of ENOSYS, instead ending up with the historical EPERM errno. Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use clone3 by default. If it sees ENOSYS then it will automatically fallback to using clone. Any other errno is treated as a fatal error. Thus when docker seccomp policy triggers EPERM from clone3, no fallback occurs and programs are thus unable to spawn threads. The clone3 syscall is much more complicated than clone, most notably its flags are not exposed as a directly argument any more. Instead they are hidden inside a struct. This means that seccomp filters are unable to apply policy based on values seen in flags. Thus we can't directly replicate the current "clone" filtering for "clone3". We can at least ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" at which point we can filter on flags. Fixes: moby#42680 Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 9f6b562)

clone3() can be used to implement clone() with CLONE_NEWUSER, allowing a sandboxed process to get CAP_SYS_ADMIN in a new namespace and manipulate its root directory. We need to block this so that AF_UNIX-based socket servers (X11, Wayland, etc.) can rely on /proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. Partially fixes GHSA-67h7-w3jq-vh4q. Thanks: an anonymous reporter Signed-off-by: Simon McVittie <[email protected]>

Recently, glibc broke with seccomp again: syscall "clone3" is used by glibc 2.34 moby/moby#42680 This was fixed in Docker 20.10.10, moby/moby#42836 which was packaged in Arch Linux in October 2021

1. moby/moby#42680 2. adoptium/containers#215 (comment) 3. moby/moby#34454 (comment)

- Because [some morons don't know the difference between `EPERM` and `ENOSYS`](moby/moby#42680), we have to change our `wp-receptor` build strategy from (no pun intended) building on top of the `receptor` Docker image, to using `ghcr.io/ansible/awx` ; as the latter at least has git already installed - To add the `receptor` binary (self-contained, thanks Golang!) on top, use `{{ shellmacro_poor_mans_curl }}` twice in a shell pipeline, yow! to query the GitHub API, find the suitable binary relase of `ansible/receptor`, download and untar it As a further upside of this change, we are no longer pinned to v1.3.0 for reasons of Docker image format.

- Because [some morons don't know the difference between `EPERM` and `ENOSYS`](moby/moby#42680), we have to change our `wp-receptor` build strategy from (no pun intended) building on top of the `receptor` Docker image, to using `ghcr.io/ansible/awx` ; as the latter at least has git already installed. - To add the `receptor` binary (self-contained, thanks Golang!) on top, introduce `{{ shellmacro_poor_mans_curl }}` and use it twice in a shell pipeline, yow! to query the GitHub API, find the suitable binary relase of `ansible/receptor`, download and untar it. As a further upside of this change, we are no longer pinned to receptor v1.3.0 for reasons of Docker image format.

JefriReynaldi · 2024-02-06T06:21:02Z

$ docker run -it registry.fedoraproject.org/fedora:rawhide curl google.com
curl: (6) getaddrinfo() thread failed to start

berrange mentioned this issue Jul 27, 2021

seccomp: add support for "clone3" syscall in default policy #42681

Merged

thaJeztah mentioned this issue Jul 29, 2021

prepare release v1.4.9 docker/containerd-packaging#247

Merged

justincormack closed this as completed in #42681 Jul 30, 2021

fweimer-rh mentioned this issue Jul 30, 2021

Docker seccomp policy incompatible with glibc 2.34 actions/runner-images#3812

Closed

7 tasks

t-8ch mentioned this issue Aug 14, 2021

[Bug] Fedora 35 is unbuildable qmk/qmk_fpm#1

Closed

mrc0mmand mentioned this issue Aug 25, 2021

ci: temporarily disable seccomp for Docker containers restraint-harness/restraint#244

Closed

UncombedCoconut added a commit to naev/naev-infrastructure that referenced this issue Aug 29, 2021

Temporarily pin neav-linux-latest to Fedora 34 due to moby/moby#42680.

a5ae15e

tianon mentioned this issue Sep 9, 2021

[20.10 backport] seccomp: add support for "clone3" syscall in default policy #42836

Merged

thaJeztah mentioned this issue Sep 16, 2021

Use GO111MODULE=auto instead of "off" docker/containerd-packaging#249

Merged

aojea mentioned this issue Sep 19, 2021

failed to build image because blocking clone3 with EPERM (it works on master) docker/buildx#772

Closed

BlackYoup mentioned this issue Sep 23, 2021

runtime/cgo: pthread_create failed: Operation not permitted on glibc 2.34 elastic/apm-server#6238

Closed

amezin mentioned this issue Oct 1, 2021

Run tests on Fedora 35 ddterm/gnome-shell-extension-ddterm#85

Closed

This was referenced Oct 15, 2021

el8: keep on truckin k3s-io/k3s-selinux#24

Merged

initial support for s390x k3s-io/k3s-root#43

Merged

vt-alt mentioned this issue Oct 20, 2021

MKOSI container issue lkrg-org/lkrg#121

Closed

mtrmac mentioned this issue Nov 11, 2021

runtime/cgo: pthread_create failed: Operation not permitted containers/skopeo#1501

Closed

scop mentioned this issue Nov 27, 2021

ci: test on fedoradev again scop/bash-completion#645

Merged

This was referenced Jan 13, 2022

Update Dockerfile to use centos:stream9 kubevirt/node-maintenance-operator#172

Merged

Update Dockerfile to use centos:stream9 kubevirt/cluster-network-addons-operator#1142

Merged

ggbecker mentioned this issue Feb 4, 2022

Add workaround to gitpod so the container image can be built. ComplianceAsCode/content#8157

Closed

jlebon mentioned this issue Feb 25, 2022

Quay.io fails to build cosa; move to pushing from OpenShift CI coreos/coreos-assembler#2722

Closed

thaJeztah mentioned this issue Mar 7, 2022

Docker in Docker cannot install bundler (ruby gem), on alpine 3.14+ #43311

Closed

bananer mentioned this issue May 14, 2022

repo sync from container on Docker 18.09 - getaddrinfo() thread failed to start lineageos4microg/docker-lineage-cicd#300

Closed

alf mentioned this issue May 29, 2022

Docker image fails during initdb timescale/timescaledb-docker-ha#260

Closed

nickdesaulniers mentioned this issue Jun 11, 2022

Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for ClangBuiltLinux/containers#34

Closed

dbarrosop mentioned this issue Jun 11, 2022

Startup exception in 0.2.x releases nhost/hasura-storage#93

Closed

kvaps mentioned this issue Aug 31, 2022

Permission denied while running buildah image with docker containers/buildah#2098

Closed

alecxvs mentioned this issue Sep 22, 2022

Plugin fails to start on Grafana 9.1.5: "Unrecognized remote plugin message" grafana/grafana-zabbix#1507

Closed

keeganwitt mentioned this issue Oct 14, 2022

latest 11-jdk on ubuntu jammy breaks keytool -importcert adoptium/containers#215

Closed

TheMrRandomDude mentioned this issue Oct 23, 2022

Container fails to start - openbox/novnc exiting with errors realies/soulseek-docker#48

Closed

disassembler mentioned this issue Nov 17, 2022

[BUG] - Cardano-node crashes IntersectMBO/cardano-node#4640

Closed

avanov mentioned this issue Jan 7, 2023

Does Alpine support unprivileged userns in its kernel? alpinelinux/docker-alpine#297

Open

moylop260 mentioned this issue Feb 20, 2023

Unable to create a new image for a v16.0 project Vauxoo/travis2docker#195

Closed

vasiliy-ul mentioned this issue Mar 30, 2023

virt-operator pod crash becasue of securityContext.seccompProfile: type: RuntimeDefault kubevirt/kubevirt#9540

Closed

vihangm mentioned this issue Apr 11, 2023

runtime/cgo: pthread_create failed: Operation not permitted pixie-io/pixie#1101

Open

MatthijsBlom mentioned this issue May 4, 2023

Reduce image size exercism/haskell-test-runner#81

Merged

lrtfm added a commit to lrtfm/firedrake-dockerfile that referenced this issue May 11, 2023

Revert ubuntu to 20.04 as 22.04 issue on docker

d8a95b9

1. moby/moby#42680 2. adoptium/containers#215 (comment) 3. moby/moby#34454 (comment)

nimbleghost mentioned this issue Jun 9, 2023

Unable to run ntfy on Docker - unknown pc error binwiederhier/ntfy#770

Closed

gomesrup mentioned this issue Jul 3, 2023

docker redis 7.0 run error: Fatal: Can't initialize Background Jobs. redis/redis#12362

Open

mtrmac mentioned this issue Jul 31, 2023

docker build image failed in mac，"pthread_create failed: Operation not permitted". but in linux is normal containers/skopeo#2058

Closed

siccovansas mentioned this issue Aug 14, 2023

DNS Resolution broken between nextcloud 25 and 26 nextcloud/docker#2049

Closed

sorah mentioned this issue Nov 13, 2023

Ruby thread creation issue in docker sorah/acmesmith#60

Closed

EricRibeiro mentioned this issue Nov 30, 2023

can't create Thread: Operation not permitted CircleCI-Public/docker-orb#182

Closed

grondo mentioned this issue Dec 9, 2023

Failed to create timer thread: operation not permitted (docker jammy) flux-framework/flux-sched#1112

Closed

This comment was marked as spam.

Sign in to view

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM #42680

seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM #42680

berrange commented Jul 27, 2021

This comment was marked as spam.

JefriReynaldi commented Feb 6, 2024

seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM #42680

seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM #42680

Comments

berrange commented Jul 27, 2021

This comment was marked as spam.

JefriReynaldi commented Feb 6, 2024