Skip to content

update seccomp rules #818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

update seccomp rules #818

wants to merge 2 commits into from

Conversation

dougsland
Copy link
Collaborator

@dougsland dougsland commented Apr 23, 2025
edited
Loading

The current seccomp changes completely disallow calling sched_setscheduler, but we can safely allow calling it with policy==SCHED_OTHER/BATCH/IDLE, as really the only problem is the various real-time classes.

The profile argument is the second (id 1) and the values for the classes are OTHER=0, BATCH==3, IDLE==5

Resolves: #702

Summary by Sourcery

Bug Fixes:

  • Modify seccomp rules to permit sched_setscheduler calls with non-real-time scheduling policies

@sourcery-ai Sourcery AI
Copy link
Contributor

sourcery-ai bot commented Apr 23, 2025
edited
Loading

Reviewer's Guide by Sourcery

This pull request modifies the seccomp rules to allow the sched_setscheduler syscall with non-real-time scheduling policies (SCHED_OTHER, SCHED_BATCH, and SCHED_IDLE). This addresses issue #702 by permitting safe usage of sched_setscheduler while preventing the use of real-time scheduling policies that could cause problems.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change Details Files
Updated seccomp rules to allow sched_setscheduler with specific scheduling policies.
  • Allowed sched_setscheduler syscall when the policy is SCHED_OTHER, SCHED_BATCH, or SCHED_IDLE.
  • Restricted sched_setscheduler syscall for real-time scheduling policies to prevent potential issues.
 create-seccomp-rules
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot approved these changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @dougsland - I've reviewed your changes - here's some feedback:

Overall Comments:

  • Consider adding a comment in the code explaining why these specific SCHED policies are allowed.
Here's what I looked at during the review
  • 🟢 General issues: all looks good
  • 🟢 Security: all looks good
  • 🟢 Testing: all looks good
  • 🟢 Complexity: all looks good
  • 🟢 Documentation: all looks good
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@dougsland
Copy link
Collaborator Author

Output now:

        {
                        "names": [
                                "sched_setscheduler"
                        ],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [
                                {
                                        "index": 1,
                                        "value": 0,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                },
                                {
                                        "index": 1,
                                        "value": 3,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                },
                                {
                                        "index": 1,
                                        "value": 5,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                }
                        ],
                        "errnoRet": 1,
                        "errno": "EPERM"
                },
                {
                        "names": [
                                "sched_setattr"
                        ],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [],
                        "errnoRet": 1,
                        "errno": "EPERM"
                }

@dougsland
update seccomp rules
6cacfc6 
The current seccomp changes completely disallow calling sched_setscheduler,
but we can safely allow calling it with policy==SCHED_OTHER/BATCH/IDLE,
as really the only problem is the various real-time classes.

The profile argument is the second (id 1) and the values for the
classes are OTHER=0, BATCH==3, IDLE==5

Resolves: #702

Signed-off-by: Douglas Schilling Landgraf <[email protected]>
@dougsland dougsland self-assigned this Apr 23, 2025
@dougsland dougsland added the jira label Apr 23, 2025
@rhatdan
Copy link
Member

rhatdan commented Apr 24, 2025

@giuseppe PTAL

@giuseppe
Copy link
Member

where is the ALLOW rule added?

@rhatdan
Copy link
Member

rhatdan commented Apr 24, 2025

This is always something we should have added to podman
podman run --security-opt seccomp:+sched_setscheduler,foobar ...

Then add those access to allowed seccomp filters.

Similarly

podman run --security-opt seccomp:-ioclt,mkdir ...

@alexlarsson
Copy link
Collaborator

Looks good to me.

@dougsland
Copy link
Collaborator Author

dougsland commented May 1, 2025
edited
Loading

Am I doing something wrong @alexlarsson?

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>

void test_policy(int policy, const char *name) {
    struct sched_param param;
    param.sched_priority = 0; // default priority

    int result = sched_setscheduler(0, policy, &param);
    if (result == -1) {
        printf("sched_setscheduler(%s) failed: errno=%d (%s)\n", name, errno, strerror(errno));
    } else {
        printf("sched_setscheduler(%s) succeeded.\n", name);
    }
}

int main() {
    printf("Testing sched_setscheduler syscall with various policies:\n");

    test_policy(SCHED_OTHER, "SCHED_OTHER");
    test_policy(SCHED_BATCH, "SCHED_BATCH");
    test_policy(SCHED_IDLE, "SCHED_IDLE");
    test_policy(SCHED_FIFO, "SCHED_FIFO");
    test_policy(SCHED_RR, "SCHED_RR");

    return 0;
}

podman restart qm
cp binary /usr/lib/qm/rootfs/root/
podman exec -it qm bash
# ./binary
# Testing sched_setscheduler syscall with various policies:
sched_setscheduler(SCHED_OTHER) failed: errno=1 (Operation not permitted)
sched_setscheduler(SCHED_BATCH) failed: errno=1 (Operation not permitted)
sched_setscheduler(SCHED_IDLE) failed: errno=1 (Operation not permitted)
sched_setscheduler(SCHED_FIFO) failed: errno=1 (Operation not permitted)
sched_setscheduler(SCHED_RR) failed: errno=1 (Operation not permitted)

My seccomp:

    {
                        "names": [
                                "sched_setscheduler"
                        ],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [
                                {
                                        "index": 1,
                                        "value": 0,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                },
                                {
                                        "index": 1,
                                        "value": 3,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                },
                                {
                                        "index": 1,
                                        "value": 5,
                                        "valueTwo": 0,
                                        "op": "SCMP_CMP_NE"
                                }
                        ],
                        "errnoRet": 1,
                        "errno": "EPERM"
                },
                {
                        "names": [
                                "sched_setattr"
                        ],
                        "action": "SCMP_ACT_ERRNO",
                        "args": [],
                        "errnoRet": 1,
                        "errno": "EPERM"
                }

@dougsland
Copy link
Collaborator Author

dougsland commented May 2, 2025
edited
Loading

Sounds weird to me but this make it work as Function not implemented for SCHED_FIFO and SCHED_RR shows Operation not permitted.

                {
                  "names": ["sched_setscheduler"],
                  "action": "SCMP_ACT_ALLOW",
                  "args": [
                    { "index": 1, "value": 1, "op": "SCMP_CMP_NE" }
                  ],
                    "comment": "",
                    "includes": {
                    },
                    "excludes": {}
                },
                {
                  "names": ["sched_setscheduler"],
                  "action": "SCMP_ACT_ERRNO",
                  "args": [
                    { "index": 1, "value": 2, "op": "SCMP_CMP_EQ" }
                  ],
                  "errnoRet": 1
                },
                {
                  "names": ["sched_setattr"],
                  "action": "SCMP_ACT_ERRNO",
                  "errnoRet": 1
                }

bash-5.2# ./binary
Testing sched_setscheduler syscall with various policies:
sched_setscheduler(SCHED_OTHER) succeeded.
sched_setscheduler(SCHED_BATCH) succeeded.
sched_setscheduler(SCHED_IDLE) succeeded.
sched_setscheduler(SCHED_FIFO) failed: errno=38 (Function not implemented)
sched_setscheduler(SCHED_RR) failed: errno=1 (Operation not permitted)

Testing sched_setattr syscall:
sched_setattr(SCHED_RR) failed: errno=1 (Operation not permitted)

@dougsland
Copy link
Collaborator Author

dougsland commented May 2, 2025
edited
Loading

On the other side, a simple rule like below works well (
please note: ("defaultAction": "SCMP_ACT_ALLOW")

bash-5.2# ./binary
Testing sched_setscheduler syscall with various policies:
sched_setscheduler(SCHED_OTHER) succeeded.
sched_setscheduler(SCHED_BATCH) succeeded.
sched_setscheduler(SCHED_IDLE) succeeded.
sched_setscheduler(SCHED_FIFO) failed: errno=1 (Operation not permitted)
sched_setscheduler(SCHED_RR) failed: errno=1 (Operation not permitted)

Testing sched_setattr syscall:
sched_setattr(SCHED_RR) failed: errno=1 (Operation not permitted)

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["sched_setscheduler"],
      "action": "SCMP_ACT_ERRNO",
      "args": [
        { "index": 1, "value": 1, "op": "SCMP_CMP_EQ" }
      ],
      "errnoRet": 1
    },
    {
      "names": ["sched_setscheduler"],
      "action": "SCMP_ACT_ERRNO",
      "args": [
        { "index": 1, "value": 2, "op": "SCMP_CMP_EQ" }
      ],
      "errnoRet": 1
    },
    {
      "names": ["sched_setattr"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1
    }
  ]
}

@giuseppe
Copy link
Member

giuseppe commented May 5, 2025

{
"names": [
"sched_setscheduler"
],
"action": "SCMP_ACT_ERRNO",
"args": [
{
"index": 1,
"value": 0,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
},
{
"index": 1,
"value": 3,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
},
{
"index": 1,
"value": 5,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
}
],
"errnoRet": 1,
"errno": "EPERM"
},

have you tried adding 3 new rules ($arg1 == 0, $arg1 == 3, $arg1 == 5) each with action SCMP_ACT_ALLOW?

@dougsland
Copy link
Collaborator Author

{
"names": [
"sched_setscheduler"
],
"action": "SCMP_ACT_ERRNO",
"args": [
{
"index": 1,
"value": 0,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
},
{
"index": 1,
"value": 3,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
},
{
"index": 1,
"value": 5,
"valueTwo": 0,
"op": "SCMP_CMP_NE"
}
],
"errnoRet": 1,
"errno": "EPERM"
},

have you tried adding 3 new rules ($arg1 == 0, $arg1 == 3, $arg1 == 5) each with action SCMP_ACT_ALLOW?

Yes, with 3 allow. SCHED_FIFO SCHED_RR still succeeded

   {
           "names": ["sched_setscheduler"],
           "action": "SCMP_ACT_ALLOW",
           "args": [
               {
                   "index": 1,
                   "value": 0,
                   "valueTwo": 0,
                   "op": "SCMP_CMP_EQ"
               }
           ],
           "comment": "",
           "includes": {},
           "excludes": {}
       },
                {
           "names": ["sched_setscheduler"],
           "action": "SCMP_ACT_ALLOW",
           "args": [
               {
                   "index": 3,
                   "value": 0,
                   "valueTwo": 0,
                   "op": "SCMP_CMP_EQ"
               }
           ],
           "comment": "",
           "includes": {},
           "excludes": {}
       },
                {
           "names": ["sched_setscheduler"],
           "action": "SCMP_ACT_ALLOW",
           "args": [
               {
                   "index": 5,
                   "value": 0,
                   "valueTwo": 0,
                   "op": "SCMP_CMP_EQ"
               }
           ],
           "comment": "",
           "includes": {},
           "excludes": {}
       }

# ./binary
Testing sched_setscheduler syscall with various policies:
sched_setscheduler(SCHED_OTHER) succeeded.
sched_setscheduler(SCHED_BATCH) succeeded.
sched_setscheduler(SCHED_IDLE) succeeded.
sched_setscheduler(SCHED_FIFO) succeeded.
sched_setscheduler(SCHED_RR) succeeded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] approved these changes

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@Yarboa Yarboa Awaiting requested review from Yarboa Yarboa is a code owner

@nsednev nsednev Awaiting requested review from nsednev nsednev is a code owner

@aesteve-rh aesteve-rh Awaiting requested review from aesteve-rh aesteve-rh is a code owner

@pengshanyu pengshanyu Awaiting requested review from pengshanyu pengshanyu is a code owner

@kleinffm kleinffm Awaiting requested review from kleinffm kleinffm is a code owner

Assignees

@dougsland dougsland

Labels
jira
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow using BATCH/IDLE scheduler classes in QM
4 participants
@dougsland @rhatdan @giuseppe @alexlarsson