Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1781565pxu;
        Tue, 24 Nov 2020 08:48:03 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzD9ARXXYfDZcXRCm2+2tUcutR2NHAG7OzdDxMVOe8VAalyBStWHBaxOuvf51jWRL4GCUCL
X-Received: by 2002:a05:6402:1c0a:: with SMTP id ck10mr4603234edb.266.1606236483513;
        Tue, 24 Nov 2020 08:48:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606236483; cv=none;
        d=google.com; s=arc-20160816;
        b=jUdQSJDSMVwdBouwe923INHOhWCl3cV1VTYXRosSP0Pn6mhSsTyiWJKHQ+UnOmTv1N
         dotpXK7DDlmkyt3fd/UH97AG180k+enuMo9s83f3M9CGBb0GPzXx9EKVJpvvJOe5ibc2
         m8nqDLA3gGBrogNAbKf/68fKjOpVAr+jFHXeP8UGJjkMYoDZuCnOlF0iAZDv/5oW//w0
         rev8upd+k0je4/UJYTgrHrJiFrsOe3FEeocgL46dx7XgcstKzwll2fkY2/YIvmZH/oKF
         JZWRc4VWB8+D5GCmmQLhVvJrraPXBOJWW2dG5uZDxe06bKSHNwqatsztTsqsQZWZfj5B
         luNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=VC3gGuLiBsrRtVyrPRamwgJQDi67qlqWivQZYkAffFs=;
        b=iqwpLYKVVmnDRsNSSmCcDO/tI5lYyJup8JTwTxloYe6mG1s9uve4X4aBvPShDauVHC
         GJ5yGo8mTo5ymMebdfTyodY0tfBuzRdAIhw/xvmcIO6c2y4eoNWGW4d+8iZljKITRJRT
         3R/ID8mpin6ZnjErfUEkeutNioxFr3xhizRXYkhkU7/ch6irijJi9tgo2UDy5j3h4WnZ
         cS1/BfmSN3McEuFU5jALqrHSrMX4eFwy4c89mnFsb9kK9NBiAaUEUjAnGWsS7KCAT/1x
         5Ah0dH5ghu3boqyD0bcp7BKbZ6U/H4bDcjfZ0ZTX93DNe3YOpxiZf4h1bcPBd1ewUVO5
         VXTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=fb4qefQb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q18si8829690ejx.84.2020.11.24.08.47.39;
        Tue, 24 Nov 2020 08:48:03 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=fb4qefQb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390451AbgKXQpy (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 24 Nov 2020 11:45:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36192 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726105AbgKXQpy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Nov 2020 11:45:54 -0500
Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 02967C0613D6;
        Tue, 24 Nov 2020 08:45:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=VC3gGuLiBsrRtVyrPRamwgJQDi67qlqWivQZYkAffFs=; b=fb4qefQb3i3AlqrcJroHwaUl78
        ub2HeK0qZ/bl10JOUhzHuDOazyI4H1NAxOZYNNEannYuejpWs0xyyhU2cPD+rTL0f8TJjtSI0uYOS
        T1iT2UGlrXlq1cM3FNTRPkt2Kqcp0WAYT+AGwl68Abx2/qgGJyzqYnD5OWY1gwV1XS7HvM3qtJPHI
        l0Uw/LhDgMkvp9PZjJOTs8bsjGAh1+POXdsWxX6wwDnRnScSL+v71xfSDHsl6/od7alzmwS2onifW
        uQwlZkLKRLPb5tj0HblwW75owISUA2R2jexF3oTZepjuUlZN+4AQHUt0hi6QjJmCmtCcwa/CskFvA
        CewgUPZg==;
Received: from hch by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux))
        id 1khbRq-0003mS-K0; Tue, 24 Nov 2020 16:45:46 +0000
Date:   Tue, 24 Nov 2020 16:45:46 +0000
From:   Christoph Hellwig <hch@infradead.org>
To:     Mark Wielaard <mark@klomp.org>
Cc:     Florian Weimer <fweimer@redhat.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        linux-api@vger.kernel.org, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, dev@opencontainers.org,
        corbet@lwn.net, Carlos O'Donell <carlos@redhat.com>
Subject: Re: [PATCH] syscalls: Document OCI seccomp filter interactions &
 workaround
Message-ID: <20201124164546.GA14094@infradead.org>
References: <87lfer2c0b.fsf@oldenburg2.str.redhat.com>
 <20201124122639.x4zqtxwlpnvw7ycx@wittgenstein>
 <878saq3ofx.fsf@oldenburg2.str.redhat.com>
 <dcffcbacbc75086582ea3f073c9e6a981a6dd27f.camel@klomp.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <dcffcbacbc75086582ea3f073c9e6a981a6dd27f.camel@klomp.org>
X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by casper.infradead.org. See http://www.infradead.org/rpr.html
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 24, 2020 at 03:08:05PM +0100, Mark Wielaard wrote:
> For valgrind the issue is statx which we try to use before falling back
> to stat64, fstatat or stat (depending on architecture, not all define
> all of these). The problem with these fallbacks is that under some
> containers (libseccomp versions) they might return EPERM instead of
> ENOSYS. This causes really obscure errors that are really hard to
> diagnose.

So find a way to detect these completely broken container run times
and refuse to run under them at all.  After all they've decided to
deliberately break the syscall ABI.  (and yes, we gave the the rope
to do that with seccomp :().