Looks like CI is failing, because the json version was not updated as part of this PR;

17:32:36 The result of go generate ./profiles/seccomp/ differs
17:32:36 
17:32:36  M profiles/seccomp/default.json
17:32:36 
17:32:36 Please re-run go generate ./profiles/seccomp/

ping @justincormack @crosbymichael PTAL

Looks like CI is failing, because the json version was not updated as part of this PR;

17:32:36 The result of go generate ./profiles/seccomp/ differs
17:32:36 
17:32:36  M profiles/seccomp/default.json
17:32:36 
17:32:36 Please re-run go generate ./profiles/seccomp/

I made a mistake thinking the json file is manually written, and it should be generated. I have fixed that now but some of the ci seems to be failing because of removing some non-existing folder (C:\go), what does that mean?

Thanks! The RS5 failure can be ignored (see #39403)

Thanks! The RS5 failure can be ignored (see #39403)

The only failure left is TestAPISwarmServicesMultipleAgents in janky, which does not seem to be relevant. I read the code but it is not about seccomp.

yes, looks like that one is sometimes flaky; #23626

I'll restart CI

yes, looks like that one is sometimes flaky; #23626

I'll restart CI

This time it's only a few SKIPs & XFAILs, why is it marked as failing again?

Looks to be an issue with the docker-py tests;

15:06:25 _______________________ ExecTest.test_exec_command_demux _______________________
15:06:25 /docker-py/tests/integration/api_exec_test.py:182: in test_exec_command_demux
15:06:25     assert next(exec_log) == (b'hello out\r\n', None)
15:06:25 E   AssertionError: assert ('hello out\r...rr\r\n', None) == ('hello out\r\n', None)
15:06:25 E     At index 0 diff: 'hello out\r\nhello err\r\n' != 'hello out\r\n'
15:06:25 E     Use -v to get the full diff
15:06:25 - generated xml file: /go/src/github.com/docker/docker/bundles/test-docker-py/results.xml -

I'll kick that build

Are there any other new syscalls since the last update?

ping @omegacoleman could you answer @justincormack's question (and sort the list #39415 (comment))?

Are there any other new syscalls since the last update?

The precise answer is "I don't know" since I'm just a network dev not kernel dev, but even though there are, the new system call has to be added to the upstream libseccomp's syscall translation (name -> number) before it could be added to the config here, and these calls were added.

Sorry for the delay as it is well, trival & as the upstream has added the calls I was able to just override the config myself..

Codecov Report

❗ No coverage uploaded for pull request base (master@4ce0402). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #39415   +/-   ##
=========================================
  Coverage          ?   37.34%           
=========================================
  Files             ?      609           
  Lines             ?    45200           
  Branches          ?        0           
=========================================
  Hits              ?    16882           
  Misses            ?    26030           
  Partials          ?     2288

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "master" git@github.com:omegacoleman/moby.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354606984
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

Thanks for updating; could you try rebasing the PR to get rid of the merge commit?

done

windows failure is unrelated; let me get this one in

This seems like it's a bad idea -- io_uring allows programs to execute certain syscalls without being limited by seccomp. Currently all of the syscalls you can access through io_uring are permitted in the default profile, but I'm a little worried that this wasn't brought up at the time.

@cyphar it looks like io_uring will get its own restriction mechanisms see eg https://lwn.net/SubscriberLink/826053/c58110f9c3493661/. I really don't think we can restrict access to a syscall that lots of people want to use based on the fact it might in future add support for unsafe actions.

I am reviewing the whole seccomp policy based on what has been useful in the past.

Funnily enough, I found this PR after commenting on that LWN article. The problem with that restriction mechanism is that it doesn't really fulfil the seccomp usecase (as long as you can create a new io_uring ring, you can opt to not enable restrictions for it). But Kees has said he's interested in figuring out how to get seccomp to limit io_uring, so I am hopeful this will happen.

Funnily enough, I found this PR after commenting on that LWN article. The problem with that restriction mechanism is that it doesn't really fulfil the seccomp usecase (as long as you can create a new io_uring ring, you can opt to not enable restrictions for it). But Kees has said he's interested in figuring out how to get seccomp to limit io_uring, so I am hopeful this will happen.

From what I got from the news they're working on sth like using eBPF to filter the SQEs upon ktail update. Will try to make that configurable after kernel & libseccomp get that feature.

Shall we revert this until we find the solution?

I don't think it's necessary to revert. The default profile allows everything that you can do with io_uring -- and custom profiles should be modified accordingly. I was more just surprised that this wasn't mentioned at the time. io_uring will grow support for more syscalls in the future so we should keep an eye on this.

for future visitors; these were removed again in;

• seccomp: block io_uring_* syscalls in default profile #46762
• and in containerd: Update RuntimeDefault seccomp profile to disallow io_uring related syscalls containerd/containerd#9320