Docker fails to start container if certain syscalls are restricted by seccomp

[jpallen]

Description of problem: The following syscalls must be provided in the seccomp profile, even if they are not used by the process that is run in the container:

capget
capset
chdir
fchown
futex
getdents64
getpid
getppid
lstat
openat
prctl
setgid
setgroups
setuid
stat

If these are not allowed, the container will fail to run with varying error messages depending on the missing syscall. I'm not familiar with the internals, but I suspect the seccomp profile is applied before the container is set up, and these syscalls are needed for the container set up. For a security model that allows limiting syscalls, it should also be possible to deny these calls if they are not needed by the process that is actually run.

docker version:

Client:
 Version:      1.11.0-rc5
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   6178547
 Built:        Mon Apr 11 21:16:15 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.0-rc5
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   6178547
 Built:        Mon Apr 11 21:16:15 2016
 OS/Arch:      linux/amd64

docker info:

Containers: 6
 Running: 0
 Paused: 0
 Stopped: 6
Images: 3
Server Version: 1.11.0-rc5
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 74
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 4.4.0-18-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.953 GiB
Name: sl-lin-stag-clsi-2
ID: 53XM:GFZU:I5QC:MGBM:HPGW:KENC:ZBK7:GN4C:TGXD:JJPC:AO3S:IVM4
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support

uname -a: Linux sl-lin-stag-clsi-2 4.4.0-18-generic #34-Ubuntu SMP Wed Apr 6 14:01:02 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Environment details (AWS, VirtualBox, physical, etc.): Test machine was a VPS from Linode

How reproducible: Very. Just run a container with any of the above syscalls removed from the default docker profile.

Steps to Reproduce:

1. Create a seccomp profile for echo with only the syscalls it needs. (Check using strace):

$ strace echo hi 2>&1 | grep -v '+++ exited' | cut -d'(' -f1 | grep -v ')' | sort | uniq
access
arch_prctl
brk
close
execve
exit_group
fstat
mmap
mprotect
munmap
open
read
write

The seccomp profile which allows only these syscalls is attached:
echo-seccomp-profile.json.txt

1. Try to run echo in a container with this profile:

$ sudo docker run -it --rm --security-opt seccomp=echo-seccomp-profile.json ubuntu echo hi
docker: Error response from daemon: rpc error: code = 2 desc = "oci runtime error: open /proc/self/fd: operation not permitted".

Expected Results: It should run the echo command.

Additional info: I found the list of syscalls that docker needs (in the first paragraph of this report) by removing each syscall in turn from the default profile, and seeing which ones causes a run of echo hi to fail in the a container (except the ones explicitly needed by echo). It is likely that some of access, arch_prctl, brk, close, execve, exit_group, fstat, mmap, mprotect, munmap, open, read, write are also fundamental to the set up of the container, rather than just the echo command, since these are pretty fundamental calls.

[cpuguy83]

Nice find!
Ping @justincormack

[justincormack]

Yes, I did notice that there was an issue with the seccomp profile being applied a little earlier than ideal (ie before setting capabilities and a few other things) when we did the original addition, but it may also have moved around with the runc work. It would indeed be a good idea to move it as late as possible, as restricting some of those calls is a good idea. Will look at this and look at how to move it.

[justincormack]

Ok, I have it working with just futex, stat and execve needed. The stat can be moved later (it is Go trying to find the executable in the PATH), the futex is not very easy to remove but it is pretty essential anyway, and the execve is also hard to remove as we need to exec the new program, and the alternatvie fexecveat is only available in very new kernels.

There is a slight complication around no new privs and capabilities, will work out best solution there, there are a few options.

[justincormack]

Ok, I have sent a PR to runc opencontainers/runc#789

This only moves seccomp to after setting capabilities if the --security-opt="no-new-privileges" is set, otherwise the current behaviour has to be kept as without that flag setting the seccomp filter is a privileged operation. It is a good idea to use that flag, and if you are already setting a custom filter adding it is not too much of a burden. (I wish that flag had been the default, but it was added later and it does cause problems if people want to use suid binaries in a container).

[mrunalp]

@justincormack Yep, the reason for not making no-new-privileges the default was to not break existing containers that use setuid binaries.

[justincormack]

This has been merged into runc now.

[thaJeztah]

@justincormack think we need a PR to bump runC here to close this issue

[vonpupp]

I am having the exact same issue here on a Linode droplet using Ubuntu 16.04.

av@ubuntu:~$ docker version
Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

av@ubuntu:~$ uname -a:
Linux ubuntu 4.5.0-x86_64-linode65 #2 SMP Mon Mar 14 18:01:58 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

[justincormack]

@vonpupp which issue exactly?