Look into using gvisor.dev/gvisor/pkg/seccomp

[kolyshkin]

Apparently, https://pkg.go.dev/gvisor.dev/gvisor/pkg/seccomp can potentially be used (instead of libseccomp / libseccomp-golang) to implement seccomp in runc. Need to look into it.

[AkihiroSuda]

Looks like we will have to add a few arch-specific constants to support ppc64le, s390x, arm (32-bit), and other minor architectures.

[AkihiroSuda]

I don't like the mega dependency on gvisor.dev/gvisor/pkg/*.
https://github.com/google/gvisor/blob/e0e9a19bffcb4fd4e545d3942104734f4d911f92/pkg/seccomp/seccomp_unsafe.go#L23
https://github.com/google/gvisor/blob/e0e9a19bffcb4fd4e545d3942104734f4d911f92/pkg/abi/linux/linux_amd64_abi_autogen_unsafe.go#L15-L17

Probably, we should fork gvisor.dev/gvisor/pkg/seccomp and its minimum dependency to another repo. (opencontainers/go-seccomp? moby/sys/seccomp? Or just opencontainers/runc/libcontainer/seccomp?)

[utam0k]

This is my simple interest, what is the reason you want to change the seccomp library? Are there any hard spots?

[AkihiroSuda]

This is my simple interest, what is the reason you want to change the seccomp library? Are there any hard spots?

Cross-compilation is often cumbersome with cgo.
Also, distros' libseccomp is often outdated and lacks support for recently added syscalls

[utam0k]

I got it. I'm interested in contributing to runc. If I have a chance to try it, I'd like to take it.

[AkihiroSuda]

Removed from v1.2.0 milestone, but contribution is still welcome

[utam0k]

Sorry, I forgot about this issue. Can I try it already? If yes, please assign me 😍

[AkihiroSuda]

@utam0k Assigned

[utam0k]

@AkihiroSuda Thanks!

[utam0k]

• seccompagent.go
• seccomp_test.go
• seccomp_linux.go
• ecosys_linux.go
• seccomp_internal.go

[utam0k]

@kolyshkin @AkihiroSuda Sorry for the delayed reply. I looked into gvisor.dev/gvisor/pkg/seccomp a little. I found some problems with using instead of libeseccomp-golang

• Doesn't support seccomp notify
• Only little endian systems are supported

WDYT? How can I process this issue?

[AkihiroSuda]

@utam0k

Thank you for taking a look at this.
I think it is ok to fork the repo for implementing the missing features.
Forking seems also almost necessary to get rid of the mega dependencies on gvisor.dev/gvisor/pkg/*: #3388 (comment)

[AkihiroSuda]

Maybe we can use https://github.com/elastic/go-seccomp-bpf instead?

[utam0k]

It seems not to support seccomp-notify, but we have an option to contribute it to support seccomp notify. Now, we're tackling the same issue in youki as the experimental. After youki's issue is completed, I'll come back to this issue with the knowledge I get in youki.

youki-dev/youki#2724

[cyphar]

I spoke to @avagin a few months ago about this, and the gVisor impl has a bunch of optimisations that make seccomp filters much faster. Switching would be nice (we might even be able to send patches to finally fix the -ENOSYS issue once and for all) but I haven't looked at how many things are missing...

[sat0ken]

I am interested to https://github.com/elastic/go-seccomp-bpf me too.
They implement Seccomp Filter by extending x/net/bpf without depend on libseccomp-go.

I've been working with @utam0k on youki's issue. I'm ready to contribute this issue.

[kolyshkin]

I spoke to @avagin a few months ago about this, and the gVisor impl has a bunch of optimisations that make seccomp filters much faster.

[Haven't looked at the article yet, but] libseccomp (since v2.5) has a binary tree optimization, which is enabled since runc v1.2.0 (#3405) for larger rulesets. Hard to say how helpful this is though, and whether gVisor implementation is yet faster (it probably is).

[cyphar]

The binary tree stuff was added to libseccomp because gVisor added it to their implementation 😜. They have a number of other optimisations, I think the article shows how much each one saves. One of the nicer optimisations is that they take into consideration how the kernel caches rules, which a basic binary search tree doesn't help with.

(FWIW, I think the main benefit would be that could be easier to get patches to fix the -ENOSYS and other issues merged.)