Merge pull request #4863 from oasisprotocol/yawning/stable/22.1.x/bac…

…kport-4862 go/runtime/host/sandbox/process: Handle missing clone3
oasisprotocol · Jul 25, 2022 · 099e5bf · 099e5bf
2 parents 87dc2e5 + a9ecc35
commit 099e5bf
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 5 deletions.
diff --git a/.changelog/4861.bugfix.md b/.changelog/4861.bugfix.md
@@ -0,0 +1,4 @@
+go/runtime/host/sandbox/process: Handle missing clone3
+
+This should fix seccomp filter generation failures on systems with
+ancient kernel/userland pairs (RHEL8 and variants).
diff --git a/go/common/dynlib/cache.go b/go/common/dynlib/cache.go
@@ -336,7 +336,7 @@ func LoadCache() (*Cache, error) {
 func loadCacheGlibc() (*Cache, error) {
 	const entrySz = 4 + 4 + 4 + 4 + 8
 
-	ourOsVersion, err := getOsVersion()
+	ourOsVersion, err := GetOsVersion()
 	if err != nil {
 		return nil, err
 	}

diff --git a/go/common/dynlib/cache_test.go b/go/common/dynlib/cache_test.go
@@ -40,6 +40,11 @@ func TestCache(t *testing.T) {
 
 	t.Logf("Test binary: %+v", fn)
 
+	v, err := GetOsVersion()
+	if err == nil {
+		t.Logf("OS version: %02x", v)
+	}
+
 	impls := []struct {
 		name string
 		ctor ctorFn

diff --git a/go/common/dynlib/hwcap_linux.go b/go/common/dynlib/hwcap_linux.go
@@ -37,7 +37,8 @@ import (
 	"syscall"
 )
 
-func getOsVersion() (uint32, error) {
+// GetOsVersion returns the operating system version (major, minor, pl).
+func GetOsVersion() (uint32, error) {
 	var buf syscall.Utsname
 	err := syscall.Uname(&buf)
 	if err != nil {

diff --git a/go/common/dynlib/hwcap_other.go b/go/common/dynlib/hwcap_other.go
@@ -24,6 +24,6 @@
 
 package dynlib
 
-func getOsVersion() (uint32, error) {
+func GetOsVersion() (uint32, error) {
 	return 0, errUnsupported
 }
diff --git a/go/runtime/host/sandbox/process/seccomp_linux.go b/go/runtime/host/sandbox/process/seccomp_linux.go
@@ -8,6 +8,8 @@ import (
 	"syscall"
 
 	seccomp "github.com/seccomp/libseccomp-golang"
+
+	"github.com/oasisprotocol/oasis-core/go/common/dynlib"
 )
 
 // A list of syscalls allowed with any arguments.
@@ -355,6 +357,21 @@ func generateSeccompPolicy(out *os.File) error {
 		return err
 	}
 
+	// Handle clone3 if the kernel is new enough to support it.
+	osVersion, err := dynlib.GetOsVersion()
+	if err != nil {
+		return err
+	}
+	if osVersion >= 0o50300 { // "The clone3() system call first appeared in Linux 5.3.""
+		if err = handleClone3(filter); err != nil {
+			return err
+		}
+	}
+
+	return filter.ExportBPF(out)
+}
+
+func handleClone3(filter *seccomp.ScmpFilter) error {
 	// We need to handle the clone3 syscall in a special manner as there are several complications
 	// to its handling:
 	//
@@ -373,6 +390,5 @@ func generateSeccompPolicy(out *os.File) error {
 	if err != nil {
 		return err
 	}
-
-	return filter.ExportBPF(out)
+	return nil
 }