Allow sched_getaffinity in syscall filters

prattmic · gvisor-bot · commit 33d4ca3a0ff5 · 2025-05-28T13:03:50.000-07:00
Go 1.25's automatic GOMAXPROCS background updates will periodically call
sched_getaffinity (for total CPU count) and pread64 (for cgroup quota limit).
The latter is already allowed by the filters, but the former is not.

In the sentry, the explicit runtime.GOMAXPROCS call at startup disables the
runtime's automatic updates. In theory this makes the filter unnecessary,
however the runtime only actually guarantees it won't change the value of
GOMAXPROCS after runtime.GOMAXPROCS. It does not guarantee that a concurrent
update run won't call the syscalls after runtime.GOMAXPROCS returns (when this
happens, the runtime by definition must later discard any change it finds).

That means it is theoretically possible for a background sched_getaffinity call
to occur after filters are installed.

This lack of guarantee makes the feature difficult to work with, so I intend to
change the runtime to provide a stronger guarantee, but until then I don't
think it hurts to allow this system call.

I haven't actually seen a failure due to a concurrent update yet, this is
precautionary.

Note that the gofer does not explicitly set GOMAXPROCS, so it will continue to
need the filter unless that changes.

PiperOrigin-RevId: 764381364
diff --git a/runsc/boot/filter/config/config_main.go b/runsc/boot/filter/config/config_main.go
@@ -253,7 +253,22 @@ var allowedSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{
 	unix.SYS_RT_SIGACTION:    seccomp.MatchAll{},
 	unix.SYS_RT_SIGPROCMASK:  seccomp.MatchAll{},
 	unix.SYS_RT_SIGRETURN:    seccomp.MatchAll{},
-	unix.SYS_SCHED_YIELD:     seccomp.MatchAll{},
+	// TODO(go.dev/issue/73193): sched_getaffinity is used by Go's
+	// automatic GOMAXPROCS updater. The runtime.GOMAXPROCS call in
+	// boot.New explicitly disables this updater. Currently
+	// runtime.GOMAXPROCS guarantees that the updater will not change
+	// GOMAXPROCS after runtime.GOMAXPROCS return. However, it does not
+	// guarantee that a concurrent update run will not perform the system
+	// call after runtime.GOMAXPROCS returns. So there is a tiny probability
+	// that we will manage to install filters before such a concurrent run
+	// calls sched_getaffinity.
+	//
+	// The Go runtime should make a stronger guarantee. Until then, allow the
+	// syscall.
+	unix.SYS_SCHED_GETAFFINITY: seccomp.PerArg{
+		seccomp.EqualTo(0),
+	},
+	unix.SYS_SCHED_YIELD: seccomp.MatchAll{},
 	unix.SYS_SENDMSG: seccomp.PerArg{
 		seccomp.AnyValue{},
 		seccomp.AnyValue{},
diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
@@ -162,7 +162,11 @@ var allowedSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{
 	unix.SYS_RT_SIGACTION:   seccomp.MatchAll{},
 	unix.SYS_RT_SIGPROCMASK: seccomp.MatchAll{},
 	unix.SYS_RT_SIGRETURN:   seccomp.MatchAll{},
-	unix.SYS_SCHED_YIELD:    seccomp.MatchAll{},
+	// Used by Go's automatic GOMAXPROCS updater.
+	unix.SYS_SCHED_GETAFFINITY: seccomp.PerArg{
+		seccomp.EqualTo(0),
+	},
+	unix.SYS_SCHED_YIELD: seccomp.MatchAll{},
 	unix.SYS_SENDMSG: seccomp.Or{
 		// Used by fdchannel.Endpoint.SendFD().
 		seccomp.PerArg{
