Add SCMP_ACT_LOG as a seccomp defaultAction

[blacktop]

Description
I would like to have support for the secomp rule action: SCMP_ACT_LOG which is mentioned here: http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html

It would be cool to use for auto-generating minimal seccomp profiles for docker images

Steps to reproduce the issue:

1. create a seccomp profile that starts with

{
  "defaultAction": "SCMP_ACT_LOG",

Describe the results you received:

docker: Error response from daemon: OCI runtime create failed: string SCMP_ACT_LOG is not a valid action for seccomp: unknown.
ERRO[0000] error waiting for container: context canceled

Describe the results you expected:

To see a bunch of syscalls being logged

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:47:43 2018
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:55:00 2018
  OS/Arch:          linux/amd64
  Experimental:     true

Output of docker info:

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 102
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: active
 NodeID: t2pt34ds01y6ph2ume0mi5pny
 Is Manager: true
 ClusterID: feqcitiv60rseyuvczyannv5r
 Managers: 1
 Nodes: 1
 Default Address Pool: 10.0.0.0/8
 SubnetSize: 24
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 10
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: 192.168.65.3
 Manager Addresses:
  192.168.65.3:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.125-linuxkit
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.786GiB
Name: linuxkit-025000000001
ID: FBGL:KLA6:N43C:LPEF:XGKO:BC3A:24HH:3QA3:Q6PC:XW6D:NEH2:MLAW
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 42
 Goroutines: 173
 System Time: 2018-12-08T06:05:42.489959672Z
 EventsListeners: 2
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.):

[thaJeztah]

Looks like this is currently not supported by libcontainer / the runc runtime, where this error is generated; https://github.com/opencontainers/runc/blob/2c632d1a2de0192c3f18a2542ccb6f30a8719b1f/libcontainer/seccomp/config.go#L57-L68

// ConvertStringToAction converts a string into a Seccomp rule match action.
// Actions use the names they are assigned in Libseccomp's header, though some
// (notable, SCMP_ACT_TRACE) are not available in this implementation and will
// return errors.
// Attempting to convert a string that is not a valid action results in an
// error.
func ConvertStringToAction(in string) (configs.Action, error) {
	if act, ok := actions[in]; ok == true {
		return act, nil
	}
	return 0, fmt.Errorf("string %s is not a valid action for seccomp", in)
}

Supported actions are listed in that file as well https://github.com/opencontainers/runc/blob/2c632d1a2de0192c3f18a2542ccb6f30a8719b1f/libcontainer/seccomp/config.go#L19-L25

var actions = map[string]configs.Action{
	"SCMP_ACT_KILL":  configs.Kill,
	"SCMP_ACT_ERRNO": configs.Errno,
	"SCMP_ACT_TRAP":  configs.Trap,
	"SCMP_ACT_ALLOW": configs.Allow,
	"SCMP_ACT_TRACE": configs.Trace,
}

I do see that SCMP_ACT_TRACE was added in opencontainers/runc#347. I'm not familiar with the differences between SCMP_ACT_TRACE and SCMP_ACT_LOG; would trace satisfy your use-case?

ping @crosbymichael @justincormack PTAL

[blacktop]

Sorry for my delayed response. I tried using TRACE and it didn't seem to do (output) anything.

[justincormack]

the log action is new in 4.14 kernel; you will need to get this upstream in runc before we can implement here. It should be relatively simple to add as it is just another constant.

[blacktop]

@justincormack thank you! I have created the PR.

[blacktop]

PR successfully builds! opencontainers/runc#1951 😁

[blacktop]

@justincormack is there anything else you need me to do?

[skepticfx]

@blacktop I came across the same issue. However, if you use SCMP_ACT_TRAP and strace the executable, it logs something similar to what one would get with SCMP_ACT_LOG and syslog.

--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f77207d62c0, si_syscall=__NR_write, si_arch=AUDIT_ARCH_X86_64} ---
+++ killed by SIGSYS +++
Bad system call```

[pjbgf]

I do see that SCMP_ACT_TRACE was added in opencontainers/runc#347. I'm not familiar with the differences between SCMP_ACT_TRACE and SCMP_ACT_LOG; would trace satisfy your use-case?

SCMP_ACT_TRACE requires a ptracer to intercept the syscall, which would then control its execution. If no tracer is running it results in an error.
SCMP_ACT_LOG allows the syscall to execute, but forces it to be logged.

[pjbgf]

@blacktop I came across the same issue. However, if you use SCMP_ACT_TRAP and strace the executable, it logs something similar to what one would get with SCMP_ACT_LOG and syslog.

The main difference between those options is that SCMP_ACT_TRAP logs the syscall execution after logging it. SCMP_ACT_LOG logs it and allows it to run, being a less invasive way to the audit logs.

[blacktop]

I have rebased my runc PR so as soon as that is merged this should be g2g 😁