From e1b33e0a7763af24b70ab3216d1dc4d8ee44276f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 09:57:04 +0100 Subject: [PATCH 1/6] Revert "Jenkinsfile: disable Ubuntu 20.04 "focal" on armhf (arm32), pending fix" This reverts commit e406392457681ae7fa7c88eaaff094ca3b42da4d. Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6e2c507a..2e8d2d7b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -22,7 +22,7 @@ def images = [ [image: "ubuntu:bionic", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "ubuntu:disco", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.03 (EOL: January, 2020) [image: "ubuntu:eoan", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.10 (EOL: July, 2020) - [image: "ubuntu:focal", arches: ["amd64", "aarch64"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) + [image: "ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) ] def generatePackageStep(opts, arch) { From c074b447c187d47c405d0583df83bfa2be9b9cd2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 10:01:16 +0100 Subject: [PATCH 2/6] DEBUGGING: remove all platforms except for Ubuntu 20.03/armhf Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 43 +------------------------------------------ 1 file changed, 1 insertion(+), 42 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2e8d2d7b..633b556c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,22 +6,6 @@ // This list is ordered by Distro (alphabetically), and release (chronologically). // When adding a distro here, also open a pull request in the release repository. def images = [ - [image: "amazonlinux:2", arches: ["aarch64"]], - [image: "centos:7", arches: ["amd64", "aarch64", "armhf"]], - [image: "centos:8", arches: ["amd64", "aarch64"]], // Note: armhf (arm32) images are currently not available on Docker Hub - [image: "debian:stretch", arches: ["amd64", "aarch64", "armhf"]], // Debian 9 (EOL: June, 2022) - [image: "debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) - [image: "fedora:29", arches: ["amd64", "aarch64"]], - [image: "fedora:30", arches: ["amd64", "aarch64"]], - [image: "fedora:31", arches: ["amd64", "aarch64"]], - [image: "fedora:latest", arches: ["amd64"]], - [image: "opensuse/leap:15", arches: ["amd64"]], - [image: "balenalib/rpi-raspbian:stretch", arches: ["armhf"]], - [image: "balenalib/rpi-raspbian:buster", arches: ["armhf"]], - [image: "ubuntu:xenial", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024) - [image: "ubuntu:bionic", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) - [image: "ubuntu:disco", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.03 (EOL: January, 2020) - [image: "ubuntu:eoan", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.10 (EOL: July, 2020) [image: "ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) ] @@ -54,38 +38,13 @@ def generatePackageSteps(opts) { } } -def packageBuildSteps = [ - "windows": { -> - node("windows-2019") { - stage("windows") { - try { - checkout scm - sh("git clone https://github.com/containerd/containerd containerd-src") - def sanitized_workspace=env.WORKSPACE.replaceAll("\\\\", '/') - // Replace windows path separators with unix style path - sh("make CONTAINERD_DIR=${sanitized_workspace}/containerd-src -f Makefile.win archive") - } finally { - deleteDir() - } - } - } - } -] +def packageBuildSteps = [:] packageBuildSteps << images.collectEntries { generatePackageSteps(it) } pipeline { agent none stages { - stage('Check file headers') { - agent { label 'linux&&amd64' } - steps{ - script{ - checkout scm - sh "make validate" - } - } - } stage('Build packages') { steps { script { From f16eefab9e839c2f5348ce3c1ff9747754ad3f79 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 24 Mar 2020 17:42:33 +0100 Subject: [PATCH 3/6] DEBUGGING: check if seccomp is causing failures on arm32 Moved this step to the docker run, instead of docker build, so that we run it without seccomp enabled Signed-off-by: Sebastiaan van Stijn --- Makefile | 2 +- dockerfiles/deb.dockerfile | 24 ++++++++++++------------ scripts/build-deb | 10 ++++++++++ 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index d4d83d60..71cd4e15 100644 --- a/Makefile +++ b/Makefile @@ -47,7 +47,7 @@ ifdef CREATE_ARCHIVE VOLUME_MOUNTS+= -v "$(CURDIR)/archive:/archive" endif -RUN=docker run --rm $(VOLUME_MOUNTS) -i $(ENV_VARS) $(BUILDER_IMAGE) +RUN=docker run --security-opt seccomp=unconfined -e DEBIAN_FRONTEND=noninteractive --rm $(VOLUME_MOUNTS) -i $(ENV_VARS) $(BUILDER_IMAGE) CHOWN=docker run --rm -v $(CURDIR):/v -w /v alpine chown CHOWN_TO_USER=$(CHOWN) -R $(shell id -u):$(shell id -g) diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 7db83657..6a7149fd 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -42,14 +42,14 @@ RUN cat /etc/os-release ARG DEBIAN_FRONTEND=noninteractive # Install some pre-reqs -RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - devscripts \ - equivs \ - git \ - lsb-release \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +#RUN apt-get update && apt-get install -y --no-install-recommends \ +# curl \ +# devscripts \ +# equivs \ +# git \ +# lsb-release \ +# && apt-get clean \ +# && rm -rf /var/lib/apt/lists/* RUN mkdir -p /go ENV GOPATH=/go @@ -63,10 +63,10 @@ COPY debian/ /root/containerd/debian/ WORKDIR /root/containerd # Install all of our build dependencies, if any -RUN apt-get update \ - && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i debian/control \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +#RUN apt-get update \ +# && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i debian/control \ +# && apt-get clean \ +# && rm -rf /var/lib/apt/lists/* # Copy over our entrypoint COPY scripts/build-deb /build-deb diff --git a/scripts/build-deb b/scripts/build-deb index f7e794de..9ca9fcdb 100755 --- a/scripts/build-deb +++ b/scripts/build-deb @@ -18,6 +18,16 @@ source /.helpers set -e +apt-get update && apt-get install -y --no-install-recommends \ + curl \ + devscripts \ + equivs \ + git \ + lsb-release \ + && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i debian/control \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + VERSION="$(git -C "${GO_SRC_PATH}" describe --tags | sed 's/^v//')" # Check if we're on a tagged version, change VERSION to dev build if not if ! git -C "${GO_SRC_PATH}" describe --exact-match HEAD >/dev/null 2>&1; then From 116704d527b43ced5f573de7d39e20d5a9a4d3fc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 24 Mar 2020 19:03:30 +0100 Subject: [PATCH 4/6] DEBUGGING: minimal reproducer Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 633b556c..5ac3c7ae 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -19,6 +19,17 @@ def generatePackageStep(opts, arch) { sh ''' curl -fsSL "https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh" | bash || true ''' + sh ''' + if [ "$(uname -p)" = "armv7l" ]; then + docker pull arm32v7/ubuntu:focal; + + # Minimal reproducer: this should pass + docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; + + # Minimal reproducer: this should fail + docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; + fi + ''' sh("docker pull ${opts.image}") checkout scm sh("make BUILD_IMAGE=${opts.image} CREATE_ARCHIVE=1 clean build") From db8267c5f8b27654f261ebc90f4b0a11afca6224 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 15:36:35 +0100 Subject: [PATCH 5/6] DEBUGGING: try new seccomp profile with _time64 added Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 6 +- default.json | 816 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 820 insertions(+), 2 deletions(-) create mode 100644 default.json diff --git a/Jenkinsfile b/Jenkinsfile index 5ac3c7ae..14de1be6 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -16,22 +16,24 @@ def generatePackageStep(opts, arch) { try { sh 'docker version' sh 'docker info' + sh 'apt list libseccomp2 -a' sh ''' curl -fsSL "https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh" | bash || true ''' + checkout scm sh ''' if [ "$(uname -p)" = "armv7l" ]; then + docker pull arm32v7/ubuntu:focal; # Minimal reproducer: this should pass docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; # Minimal reproducer: this should fail - docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; + docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=./default.json arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; fi ''' sh("docker pull ${opts.image}") - checkout scm sh("make BUILD_IMAGE=${opts.image} CREATE_ARCHIVE=1 clean build") archiveArtifacts(artifacts: 'archive/*.tar.gz', onlyIfSuccessful: true) } finally { diff --git a/default.json b/default.json new file mode 100644 index 00000000..e9f54af4 --- /dev/null +++ b/default.json @@ -0,0 +1,816 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pselect6_time64", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "minKernel": "4.8" + }, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": {} + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": {} + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "reboot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_BOOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": {} + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": {} + }, + { + "names": [ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": {} + }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": {} + }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": {} + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": {} + }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + }, + { + "names": [ + "syslog" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYSLOG" + ] + }, + "excludes": {} + } + ] +} \ No newline at end of file From b9ed41646d0456da94dd4dbaae90a274ecd8a366 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 16:57:44 +0100 Subject: [PATCH 6/6] DEBUGGING: try installing libseccomp2 2.4.3 (ubuntu focal) Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 14de1be6..f28cc056 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,13 +23,24 @@ def generatePackageStep(opts, arch) { checkout scm sh ''' if [ "$(uname -p)" = "armv7l" ]; then + echo "installing libseccomp2_2.4.3-0ubuntu2_armhf.deb" + curl -fsSL https://launchpad.net/ubuntu/+archive/primary/+files/libseccomp2_2.4.3-0ubuntu2_armhf.deb > libseccomp2_2.4.3-0ubuntu2_armhf.deb + + sudo dpkg -i libseccomp2_2.4.3-0ubuntu2_armhf.deb + + rm libseccomp2_2.4.3-0ubuntu2_armhf.deb + + apt list libseccomp2 -a docker pull arm32v7/ubuntu:focal; - # Minimal reproducer: this should pass + echo "Minimal reproducer: this should pass (seccomp disabled)" docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; - # Minimal reproducer: this should fail + echo "Minimal reproducer: this should pass (updated seccomp profile)" + docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=./default.json arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; + + echo "Minimal reproducer: default seccomp profile" docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=./default.json arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'; fi ''' @@ -38,6 +49,7 @@ def generatePackageStep(opts, arch) { archiveArtifacts(artifacts: 'archive/*.tar.gz', onlyIfSuccessful: true) } finally { sh "sudo chmod -R 777 ." + sh "sudo apt-get install -y --allow-downgrades libseccomp2=2.4.1-0ubuntu0.16.04.2" deleteDir() } }