-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-9.6
-
oci-seccomp-bpf-hook-1.2.11-1.el9_6
-
Yes
-
Moderate
-
0day
-
1
-
rhel-container-tools
-
1
-
False
-
False
-
-
None
-
RUN 269
-
Pass
-
Automated
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
I'm running https://github.com/containers/oci-seccomp-bpf-hook/blob/main/test, they should all get passed, but below TCs got failed.
4 Trace and use generated profile
5 Containers fails to run blocked syscall
6 Extend existing seccomp profile
7 Syscall blocked in input profile remains blocked in output profile
Please provide the package NVR for which the bug is seen:
# rpm -q podman oci-seccomp-bpf-hook
podman-5.4.0-1.el10.x86_64
oci-seccomp-bpf-hook-1.2.10-7.el10.x86_64
How reproducible is this bug?:
always
Steps to reproduce
# bash test_runner.sh ++ time bats --tap . 1..8 ok 1 Podman available ok 2 Version check # skip This test only makes sense in a source-tree environment ok 3 Trace and check size of generated profile not ok 4 Trace and use generated profile # (in test file ./00-simple.bats, line 64) # `[ "$status" -eq 0 ]' failed # Temporary file: /var/tmp/tmp.qo2e2CDg4y # Podman output: bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var # Size of generated file: 1093 # Podman output: read from the exec fifo: Operation not permitted not ok 5 Containers fails to run blocked syscall # (in test file ./00-simple.bats, line 86) # `[ "$status" -eq 0 ]' failed # Temporary file: /var/tmp/tmp.UtMU0w7p01 # Podman output: bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var # Size of generated file: 1095 # Podman output: read from the exec fifo: Operation not permitted not ok 6 Extend existing seccomp profile # (in test file ./00-simple.bats, line 127) # `[ "$status" -eq 0 ]' failed # Temporary file 1: /var/tmp/tmp.4HpILOLjhz # Temporary file 2: /var/tmp/tmp.8sp0kVGwPy # Size of the first generated file: 1031 # Podman output: read from the exec fifo: Operation not permitted # Podman output: PING github.com (140.82.113.4): 56 data bytes 64 bytes from 140.82.113.4: seq=0 ttl=42 time=33.167 ms 64 bytes from 140.82.113.4: seq=1 ttl=42 time=8.702 ms 64 bytes from 140.82.113.4: seq=2 ttl=42 time=8.803 ms --- github.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 8.702/16.890/33.167 ms # Size of the second generated file: 1259 # Podman output: read from the exec fifo: Operation not permitted not ok 7 Syscall blocked in input profile remains blocked in output profile # (in test file ./00-simple.bats, line 153) # `[ "$status" -eq 0 ]' failed # Temporary file : /var/tmp/tmp.njX3syo2Sy # Podman output: # Size of the first generated file: 1043 # Podman output: Error: OCI runtime error: crun: read from the init process ok 8 Trace and look for syslogs real 0m37.682s user 0m1.184s sys 0m0.729s
podman info
# podman info
host:
arch: amd64
buildahVersion: 1.39.0
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-4.el10.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 96.06
systemPercent: 1.2
userPercent: 2.74
cpus: 2
databaseBackend: sqlite
distribution:
distribution: rhel
version: "10.0"
eventLogger: journald
freeLocks: 1967
hostname: kvm-03-guest20.lab.eng.rdu2.dc.redhat.com
idMappings:
gidmap: null
uidmap: null
kernel: 6.12.0-55.9.1.el10_0.x86_64
linkmode: dynamic
logDriver: journald
memFree: 5204828160
memTotal: 8052490240
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.14.0-1.el10.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.14.0
package: netavark-1.14.0-1.el10.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.14.0
ociRuntime:
name: crun
package: crun-1.19-1.el10.x86_64
path: /usr/bin/crun
version: |-
crun version 1.19
commit: db31c42ac46e20b5527f5339dcbf6f023fcd539c
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250217.ga1e48a0-3.el10_0.x86_64
version: ""
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 5368512512
swapTotal: 5368705024
uptime: 1h 20m 12.00s (Approximately 0.04 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.access.redhat.com
- registry.redhat.io
- docker.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 79
paused: 0
running: 0
stopped: 79
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 47173337088
graphRootUsed: 3978321920
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 2
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.4.0
BuildOrigin: Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Built: 1739318400
BuiltTime: Tue Feb 11 19:00:00 2025
GitCommit: ""
GoVersion: go1.23.1 (Red Hat 1.23.1-4.el10)
Os: linux
OsArch: linux/amd64
Version: 5.4.0
- clones
-
-
- Release Pending
-
- links to
-
RHBA-2025:147968
oci-seccomp-bpf-hook bug fix and enhancement update