Merge pull request #4863 from oasisprotocol/yawning/stable/22.1.x/backport-4862

Yawning · web-flow · commit 099e5bff3ac5 · 2022-07-25T17:18:25.000Z
go/runtime/host/sandbox/process: Handle missing clone3
diff --git a/.changelog/4861.bugfix.md b/.changelog/4861.bugfix.md
@@ -0,0 +1,4 @@
+go/runtime/host/sandbox/process: Handle missing clone3
+
+This should fix seccomp filter generation failures on systems with
+ancient kernel/userland pairs (RHEL8 and variants).
diff --git a/go/common/dynlib/cache.go b/go/common/dynlib/cache.go
@@ -336,7 +336,7 @@ func LoadCache() (*Cache, error) {
 func loadCacheGlibc() (*Cache, error) {
 	const entrySz = 4 + 4 + 4 + 4 + 8
 
-	ourOsVersion, err := getOsVersion()
+	ourOsVersion, err := GetOsVersion()
 	if err != nil {
 		return nil, err
 	}
diff --git a/go/common/dynlib/cache_test.go b/go/common/dynlib/cache_test.go
@@ -40,6 +40,11 @@ func TestCache(t *testing.T) {
 
 	t.Logf("Test binary: %+v", fn)
 
+	v, err := GetOsVersion()
+	if err == nil {
+		t.Logf("OS version: %02x", v)
+	}
+
 	impls := []struct {
 		name string
 		ctor ctorFn
diff --git a/go/common/dynlib/hwcap_linux.go b/go/common/dynlib/hwcap_linux.go
@@ -37,7 +37,8 @@ import (
 	"syscall"
 )
 
-func getOsVersion() (uint32, error) {
+// GetOsVersion returns the operating system version (major, minor, pl).
+func GetOsVersion() (uint32, error) {
 	var buf syscall.Utsname
 	err := syscall.Uname(&buf)
 	if err != nil {
diff --git a/go/common/dynlib/hwcap_other.go b/go/common/dynlib/hwcap_other.go
@@ -24,6 +24,6 @@
 
 package dynlib
 
-func getOsVersion() (uint32, error) {
+func GetOsVersion() (uint32, error) {
 	return 0, errUnsupported
 }
diff --git a/go/runtime/host/sandbox/process/seccomp_linux.go b/go/runtime/host/sandbox/process/seccomp_linux.go
@@ -8,6 +8,8 @@ import (
 	"syscall"
 
 	seccomp "github.com/seccomp/libseccomp-golang"
+
+	"github.com/oasisprotocol/oasis-core/go/common/dynlib"
 )
 
 // A list of syscalls allowed with any arguments.
@@ -355,6 +357,21 @@ func generateSeccompPolicy(out *os.File) error {
 		return err
 	}
 
+	// Handle clone3 if the kernel is new enough to support it.
+	osVersion, err := dynlib.GetOsVersion()
+	if err != nil {
+		return err
+	}
+	if osVersion >= 0o50300 { // "The clone3() system call first appeared in Linux 5.3.""
+		if err = handleClone3(filter); err != nil {
+			return err
+		}
+	}
+
+	return filter.ExportBPF(out)
+}
+
+func handleClone3(filter *seccomp.ScmpFilter) error {
 	// We need to handle the clone3 syscall in a special manner as there are several complications
 	// to its handling:
 	//
@@ -373,6 +390,5 @@ func generateSeccompPolicy(out *os.File) error {
 	if err != nil {
 		return err
 	}
-
-	return filter.ExportBPF(out)
+	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -336,7 +336,7 @@ func LoadCache() (*Cache, error) {`
`336`	`336`	`func loadCacheGlibc() (*Cache, error) {`
`337`	`337`	`const entrySz = 4 + 4 + 4 + 4 + 8`
`338`	`338`
`339`		`- ourOsVersion, err := getOsVersion()`
	`339`	`+ ourOsVersion, err := GetOsVersion()`
`340`	`340`	`if err != nil {`
`341`	`341`	`return nil, err`
`342`	`342`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@ import (`
`37`	`37`	`"syscall"`
`38`	`38`	`)`
`39`	`39`
`40`		`-func getOsVersion() (uint32, error) {`
	`40`	`+// GetOsVersion returns the operating system version (major, minor, pl).`
	`41`	`+func GetOsVersion() (uint32, error) {`
`41`	`42`	`var buf syscall.Utsname`
`42`	`43`	`err := syscall.Uname(&buf)`
`43`	`44`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,6 @@`
`24`	`24`
`25`	`25`	`package dynlib`
`26`	`26`
`27`		`-func getOsVersion() (uint32, error) {`
	`27`	`+func GetOsVersion() (uint32, error) {`
`28`	`28`	`return 0, errUnsupported`
`29`	`29`	`}`