From 010be6496ac02ca6d9ee47d2155867f8f0a2cab1 Mon Sep 17 00:00:00 2001
From: zhaoxiaohu <zhaoxiaohu@kuaishou.com>
Date: Mon, 5 Aug 2024 14:38:17 +0800
Subject: [PATCH] backport seccomp: support "clone3" (return ENOSYS unless
 SYS_ADMIN is granted)

clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
See moby/moby PR 42681 (thanks to berrange).

Without this commit, rawhide image does not work:
```console
$ sudo ctr run --rm --net-host --seccomp registry.fedoraproject.org/fedora:rawhide foo /usr/bin/curl google.com
curl: (6) getaddrinfo() thread failed to start
```

Reference: https://github.com/containerd/containerd/commit/55923daa9f56c8a890875f1e111201d918b382e2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: chenguanqiao <chenguanqiao@kuaishou.com>
Signed-off-by: yuwang <yuwang@kuaishou.com>
Signed-off-by: zhaoxiaohu <zhaoxiaohu@kuaishou.com>
---
 containerd.spec                               |  8 ++-
 ...n-ENOSYS-unless-SYS_ADMIN-is-granted.patch | 64 +++++++++++++++++++
 series.conf                                   |  1 +
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch

diff --git a/containerd.spec b/containerd.spec
index f2b85c8..f72f117 100644
--- a/containerd.spec
+++ b/containerd.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        320
+Release:        321
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -72,6 +72,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr
 
 %changelog
+* Fri Aug 2 2024 zhaoxiaohu <zhaoxiaohu@kuaishou.com> - 1.2.0-321
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Fix seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted)
+
 * Tue Jun 18 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1.2.0-320
 - Type:enhancement
 - ID:NA
diff --git a/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch b/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch
new file mode 100644
index 0000000..9eacf78
--- /dev/null
+++ b/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch
@@ -0,0 +1,64 @@
+From 8cfc05ec8d197556045f4d16bfc03663f53e9362 Mon Sep 17 00:00:00 2001
+From: zhaoxiaohu <zhaoxiaohu@kuaishou.com>
+Date: Fri, 2 Aug 2024 18:11:06 +0800
+Subject: [PATCH] seccomp: support "clone3" (return ENOSYS unless
+ SYS_ADMIN is granted)
+
+clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
+See moby/moby PR 42681 (thanks to berrange).
+
+Without this commit, rawhide image does not work:
+```console
+$ sudo ctr run --rm --net-host --seccomp registry.fedoraproject.org/fedora:rawhide foo /usr/bin/curl google.com
+curl: (6) getaddrinfo() thread failed to start
+```
+
+Reference: https://github.com/containerd/containerd/commit/55923daa9f56c8a890875f1e111201d918b382e2
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Signed-off-by: chenguanqiao <chenguanqiao@kuaishou.com>
+Signed-off-by: yuwang <yuwang@kuaishou.com>
+Signed-off-by: zhaoxiaohu <zhaoxiaohu@kuaishou.com>
+---
+ contrib/seccomp/seccomp_default.go | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
+index 11b446a..8ec4fee 100644
+--- a/contrib/seccomp/seccomp_default.go
++++ b/contrib/seccomp/seccomp_default.go
+@@ -48,6 +48,7 @@ func arches() []specs.Arch {
+ 
+ // DefaultProfile defines the whitelist for the default seccomp profile.
+ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
++	nosys := uint(unix.ENOSYS)
+ 	syscalls := []specs.LinuxSyscall{
+ 		{
+ 			Names: []string{
+@@ -459,6 +460,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
+ 				Names: []string{
+ 					"bpf",
+ 					"clone",
++					"clone3",
+ 					"fanotify_init",
+ 					"lookup_dcookie",
+ 					"mount",
+@@ -575,6 +577,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
+ 				},
+ 			})
+ 		}
++		// clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset
++		// https://github.com/moby/moby/pull/42681
++		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
++			Names: []string{
++				"clone3",
++			},
++			Action:   specs.ActErrno,
++			ErrnoRet: &nosys,
++		})
+ 	}
+ 
+ 	return s
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 81777d8..fa66acf 100644
--- a/series.conf
+++ b/series.conf
@@ -120,5 +120,6 @@ patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch
 patch/0110-containerd-update-vendored-golang.org-x-net.patch
 patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch
 patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch
+patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch
 sw64_patch/3001-thp-add-support-sw_64.patch
 # end
-- 
Gitee