search

docker / for-win

Bug reports for Docker Desktop for Windows
https://www.docker.com/products/docker#/windows
1.87k stars 291 forks source link

Docker Fails to Load Seccomp Profile: Assumes File Contents are the Seccomp Profile #13042

Closed Alexhuszagh closed 1 year ago

Alexhuszagh commented 2 years ago

Actual behavior:

If running a docker command with a custom seccomp profile, and it reads the JSON profile as if it was the filename. An example (with the seccomp profile pasted below) is provided in steps to reproduce the behavior below. Expected behavior

It should load the seccomp profile from the filename after passing, rather than open and read the contents, and then assume this is the profile filename. This works differently than Docker on WSL2, Docker on Linux, and Podman. I'm using the default Ubuntu 20.04 image, to show the image doesn't matter.

Information:

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Diagnostics Ouput:

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0001: is the application running?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0017: can a VM be started?
[PASS] DD0024: is WSL installed?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0005: is the user in the docker-users group?
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[PASS] DD0012: is the VM networking working?
[PASS] DD0032: do Docker networks overlap with host IPs?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
No fatal errors detected.

Steps to reproduce the behavior:

The command:

> docker run -it --rm --security-opt seccomp=path\to\seccomp\profile.json ubuntu:20.04 bash
Unable to find image 'ubuntu:20.04' locally
d5fd17ec1767: Already exists
53df61775e88: Download complete
docker: Error response from daemon: container create: opening seccomp profile failed: open {"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"names":["add_key","get_kernel_syms","keyctl","move_pages","nfsservctl","perf_event_open","pivot_root","query_module","request_key","sysfs","_sysctl","uselib","userfaultfd","ustat"],"action":"SCMP_ACT_ERRNO","errnoRet":1},{"names":["acct"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_PACCT"]}},{"names":["bpf","lookup_dcookie","mount","quotactl","quotactl_fd","setns","swapon","swapoff","umount","umount2","unshare","vm86","vm86old","pciconfig_read","pciconfig_write","salinfo_log_open","salinfo_event_open","sys_cacheflush","rtas"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_ADMIN"]}},{"names":["clock_adjtime","clock_settime","settimeofday","stime"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_TIME"]}},{"names":["create_module","delete_module","finit_module","init_module"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_MODULE"]}},{"names":["get_mempolicy","mbind","set_mempolicy"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_NICE"]}},{"names":["ioperm","iopl"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_RAWIO"]}},{"names":["kcmp","process_vm_readv","process_vm_writev","ptrace"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_PTRACE"]}},{"names":["kexec_file_load","kexec_load","reboot"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_SYS_BOOT"]}},{"names":["name_to_handle_at","open_by_handle_at"],"action":"SCMP_ACT_ERRNO","errnoRet":1,"excludes":{"caps":["CAP_DAC_READ_SEARCH"]}}]}: file name too long.
See 'docker run --help'.

seccomp profile:

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
        {
            "names": [
                "add_key",
                "get_kernel_syms",
                "keyctl",
                "move_pages",
                "nfsservctl",
                "perf_event_open",
                "pivot_root",
                "query_module",
                "request_key",
                "sysfs",
                "_sysctl",
                "uselib",
                "userfaultfd",
                "ustat"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1
        },
        {
            "names": [
                "acct"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_PACCT"
                ]
            }
        },
        {
            "names": [
                "bpf",
                "lookup_dcookie",
                "mount",
                "quotactl",
                "quotactl_fd",
                "setns",
                "swapon",
                "swapoff",
                "umount",
                "umount2",
                "unshare",
                "vm86",
                "vm86old",
                "pciconfig_read",
                "pciconfig_write",
                "salinfo_log_open",
                "salinfo_event_open",
                "sys_cacheflush",
                "rtas"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_ADMIN"
                ]
            }
        },
        {
            "names": [
                "clock_adjtime",
                "clock_settime",
                "settimeofday",
                "stime"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_TIME"
                ]
            }
        },
        {
            "names": [
                "create_module",
                "delete_module",
                "finit_module",
                "init_module"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_MODULE"
                ]
            }
        },
        {
            "names": [
                "get_mempolicy",
                "mbind",
                "set_mempolicy"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_NICE"
                ]
            }
        },
        {
            "names": [
                "ioperm",
                "iopl"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_RAWIO"
                ]
            }
        },
        {
            "names": [
                "kcmp",
                "process_vm_readv",
                "process_vm_writev",
                "ptrace"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_PTRACE"
                ]
            }
        },
        {
            "names": [
                "kexec_file_load",
                "kexec_load",
                "reboot"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_SYS_BOOT"
                ]
            }
        },
        {
            "names": [
                "name_to_handle_at",
                "open_by_handle_at"
            ],
            "action": "SCMP_ACT_ERRNO",
            "errnoRet": 1,
            "excludes": {
                "caps": [
                    "CAP_DAC_READ_SEARCH"
                ]
            }
        }
    ]
}

If I try a much smaller profile, I get:

 container create: opening seccomp profile failed: open {"defaultAction":"SCMP_ACT_ALLOW"}: no such file or directory.

If I try just "C:/Users/ahusz/git/cross/src/seccomp.json" in the JSON file, I get:

container create: opening seccomp profile failed: open "C:/Users/ahusz/git/cross/src/seccomp.json": no such file or directory.

If I try to use backslashes for native Windows paths, I get errors about invalid escape characters, even if the baskslashes are properly escaped. In short, I can't even use a wrapper file to load the profile.``

nicks commented 2 years ago

I was not able to reproduce this problem. I ran

docker run -it --rm --security-opt seccomp=C:/Users/nick/profile.json ubuntu:20.04 bash

in Windows powershell, and it successfully gave me a shell.

A couple clarifying questions:

docker-robott commented 1 year ago

There hasn't been any activity on this issue for a long time. If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment. If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

docker-robott commented 1 year ago

Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked