An interesting issue handling the seccomp listener
Table of Contents
A bug report filed against crun a few days ago exposed a deadlock: under certain seccomp profiles, the runtime would hang indefinitely before the container process ever started. The root cause is a subtle sequencing problem between installing a seccomp filter that intercepts a syscall and then immediately using that same syscall to hand off the resulting listener file descriptor to the userspace handler — the very handler that has not yet received the descriptor it needs to process the interception.
The reporter noticed that the following configuration worked fine with runc but caused crun to hang:
|
|
Seccomp supports user-space notifications: when a syscall is configured with SCMP_ACT_NOTIFY, the kernel opens a file descriptor and returns it to the caller instead of silently allowing or denying the syscall. That descriptor is subsequently used to receive notifications for every intercepted call.
The OCI runtime does not handle these notifications directly — it passes the file descriptor to a separate listener process. The listenerPath field in the OCI configuration specifies the UNIX socket that will receive the listener fd once crun has obtained it.
The bug was straightforward: crun was using sendmsg(2) to deliver the fd to that socket, but doing so immediately after installing the seccomp filter. Since sendmsg itself was in the intercept list, the call blocked waiting for a listener that had not yet received the fd — a classic deadlock.
What to do?#
The problem we need to solve is to send the file descriptor from an
environment where the sendmsg is not blocked,
This is easily achieved with a helper process, that is created just before the seccomp filter is installed. The helper process will be responsible to send the file descriptor to the specified socket.
From the issue report, it seems that runc has already solved the
problem by using a pipe to inform the helper process on what fd
contains the seccomp listener and then let the helper process retrieve
the file descriptor with the pidfd_getfd(2) syscall.
Two issues with this approach are:
- it requires a new kernel feature,
pidfd_getfd(2). - it still expects
write(2)to not be filtered by seccomp.
The first issue can be solved by using a different approach, instead
of using pidfd_getfd(2), we can fork the helper process with the
CLONE_FILES flag, so the helper process will have the same file
descriptors as the parent process!
We still need to solve the second issue, but we can do that by using a shared memory region and let the helper process do a busy loop on the region until it contains the file descriptor number.
Shared memory#
The shared memory region is backed by a memfd created as:
|
|
The first block creates the memfd file, the second one resizes it to the size of an atomic int and the third one maps it in memory.
Helper process#
Now that there is a way for the two processes to communicate without using any syscall we can look at the helper process, that just does:
|
|
the prctl(2) call is used to make sure that the helper process won’t
survive its parent process.
Once the fd is retrieved from the shared memory region, the
send_fd_to_socket_with_payload function sends it to the receiver
socket using the sendmsg(2) syscall.
Main process#
The main process, the one that will be eventually execve the container program, just does:
|
|
The syscall_seccomp function is a wrapper around the seccomp(2)
syscall to install the seccomp filter and retrieve the listener fd.
The *fd_to_send = ret; assignment writes the listener file
descriptor to the shared memory and that the helper process will
consume.
Conclusion#
With all of this in place, crun accepts a seccomp profile with no
limitations on what syscalls can be intercepted with
SCMP_ACT_NOTIFY.
The notified process, that receives the seccomp listener, must still
ensure that all syscalls until the execve(2) syscall are allowed,
otherwise the OCI runtime will fail to start the container.