Skip to content

seccomp not correctly detecting riscv64 architecture #48454

New issue
New issue
Closed
#48455
Closed
seccomp not correctly detecting riscv64 architecture#48454
#48455
Labels
area/security/seccompkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.status/0-triageversion/24.0
@gdams

Description

@gdams
gdams
opened on Sep 9, 2024

Description

See docker-library/official-images#17403 for most of the context

Essentially seccomp doesn't support riscv64 right now so specifying it won't apply on a riscv64 architecture

		{
			"names": [
				"riscv_flush_icache"
			],
			"action": "SCMP_ACT_ALLOW",
			"includes": {
				"arches": [
					"riscv64"
				]
			}
		},

but if you remove the includes it will work:

		{
			"names": [
				"riscv_flush_icache"
			],
			"action": "SCMP_ACT_ALLOW"
		},

Reproduce

  1. On a riscv64 agent run an ubuntu docker image (default seccomp settings)
  2. Run apt-get update and apt-get install openjdk-21-jdk
  3. Observe the following error:
[0.024s][error][os] Syscall: RISCV_FLUSH_ICACHE not available; error='Operation not permitted' (errno=EPERM)

Expected behavior

No response

docker version

Client:
 Version:           24.0.7
 API version:       1.43
 Go version:        go1.22.2
 Git commit:        24.0.7-0ubuntu4
 Built:             Wed Apr 17 20:08:25 2024
 OS/Arch:           linux/riscv64
 Context:           default

Server:
 Engine:
  Version:          24.0.7
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.22.2
  Git commit:       24.0.7-0ubuntu4
  Built:            Wed Apr 17 20:08:25 2024
  OS/Arch:          linux/riscv64
  Experimental:     false
 containerd:
  Version:          1.7.12
  GitCommit:        
 runc:
  Version:          1.1.12-0ubuntu3
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:

docker info

Client:
 Version:    24.0.7
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 24.0.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.10.113+
 Operating System: Ubuntu 24.04 LTS
 OSType: linux
 Architecture: riscv64
 CPUs: 4
 Total Memory: 15.35GiB
 Name: test-rise-ubuntu2404-riscv64-3.adoptopenjdk.net
 ID: 3ab95727-791b-4dba-b211-132e803c56b0
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/security/seccompkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.status/0-triageversion/24.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions