Re: Crash when attaching uretprobes to processes running in Docker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2025-01-10, Eyal Birger <eyal.birger@xxxxxxxxx> wrote:
> Hi,
> 
> When attaching uretprobes to processes running inside docker, the attached
> process is segfaulted when encountering the retprobe. The offending commit
> is:
> 
> ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe")
> 
> To my understanding, the reason is that now that uretprobe is a system call,
> the default seccomp filters in docker block it as they only allow a specific
> set of known syscalls.

FWIW, the default seccomp profile of Docker _should_ return -ENOSYS for
uretprobe (runc has a bunch of ugly logic to try to guarantee this if
Docker hasn't updated their profile to include it). Though I guess that
isn't sufficient for the magic that uretprobe(2) does...

> This behavior can be reproduced by the below bash script, which works before
> this commit.
> 
> Reported-by: Rafael Buchbinder <rafi@xxxxxx>
> 
> Eyal.
> 
> --- CODE ---
> #!/bin/bash
> 
> cat > /tmp/x.c << EOF
> #include <stdio.h>
> #include <seccomp.h>
> 
> char *syscalls[] = {
> "write",
> "exit_group",
> };
> 
> __attribute__((noinline)) int probed(void)
> {
> printf("Probed\n");
> return 1;
> }
> 
> void apply_seccomp_filter(char **syscalls, int num_syscalls)
> {
> scmp_filter_ctx ctx;
> 
> ctx = seccomp_init(SCMP_ACT_ERRNO(1));
> for (int i = 0; i < num_syscalls; i++) {
> seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
> seccomp_syscall_resolve_name(syscalls[i]), 0);
> }
> seccomp_load(ctx);
> seccomp_release(ctx);
> }
> 
> int main(int argc, char *argv[])
> {
> int num_syscalls = sizeof(syscalls) / sizeof(syscalls[0]);
> 
> apply_seccomp_filter(syscalls, num_syscalls);
> 
> probed();
> 
> return 0;
> }
> EOF
> 
> cat > /tmp/trace.bt << EOF
> uretprobe:/tmp/x:probed
> {
>     printf("ret=%d\n", retval);
> }
> EOF
> 
> gcc -o /tmp/x /tmp/x.c -lseccomp
> 
> /usr/bin/bpftrace /tmp/trace.bt &
> 
> sleep 5 # wait for uretprobe attach
> /tmp/x
> 
> pkill bpftrace
> 
> rm /tmp/x /tmp/x.c /tmp/trace.bt
> 

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux