Bug 1328970

Summary: seccomp: config provided but seccomp not supported
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: runcAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: ajia, dwalsh, mpatel
Target Milestone: rcKeywords: Extras, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: runc-0.1.0-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 15:15:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Qian Cai 2016-04-20 18:38:02 UTC 
Description of problem:
Looks like we need to build runc with libseccomp again.

# cat config.json
...
        "seccomp": {
            "architectures": [
                "SCMP_ARCH_X86"
            ], 
            "defaultAction": "SCMP_ACT_ALLOW", 
            "syscalls": [
                {
                    "action": "SCMP_ACT_ERRNO", 
                    "name": "getcwd"
                }
            ]
        }
...

#runc start root
seccomp: config provided but seccomp not supported

Version-Release number of selected component (if applicable):
runc-0.1.0-1.el7.x86_64

How reproducible:
always
Comment 1 Qian Cai 2016-04-20 18:54:12 UTC 
I tried the upstream version in master branch (at commit 2441732) works fine on 30 March.
Comment 3 Mrunal Patel 2016-05-03 17:14:28 UTC 
Most likely runc wasn't compiled with the seccomp build tag.

If you pull the repo and run make, it adds seccomp build tag by default.

[root@localhost runc]# make
go build -i -ldflags "-X main.gitCommit=89c3c97a8482f3a57cd4bb683df1a7b2c61405d8" -tags "seccomp" -o runc .

[root@dhcp-16-129 testroot]# tail -n 15 config.json
                                "type": "uts"
                        }
                ],
                "seccomp": {
                        "defaultAction": "SCMP_ACT_ALLOW",
                        "architectures": null,
                        "syscalls": [
                                {
                                        "name": "getcwd",
                                        "action": "SCMP_ACT_ERRNO"
                                }
                        ]
                }
        }
}
[root@dhcp-16-129 testroot]# runc start 1234
sh: getcwd: Operation not permitted
(unknown) # exit
Comment 4 Daniel Walsh 2016-05-03 17:51:47 UTC 
Runc should be being built with 

BUILDTAGS="selinux seccomp"
Comment 5 Lokesh Mandvekar 2016-05-03 18:15:50 UTC 
fix upcoming..
Comment 7 Lokesh Mandvekar 2016-05-04 21:23:39 UTC 
*** Bug 1322608 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2016-05-12 15:15:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1061.html