oci-seccomp-bpf-hook: Can't generate a seccomp profile

I used this blog and followed the steps in it to generate a container seccomp profile, and I don’t get a file, ls.json, output from running this sudo podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:32 ls / > /dev/null

I installed a fresh x86 fedora 32 server using this Fedora-Server-netinst-x86_64-32-1.6.iso on a vm

  • then installed like this
sudo dnf install -y podman
sudo dnf install -y bcc-devel bcc-tools git golang libseccomp-devel golang-github-cpuguy83-md2man make
git clone https://github.com/containers/oci-seccomp-bpf-hook.git
cd oci-seccomp-bpf-hook
make binary
sudo make install

I’ve tried this on several other fedora 32 vm’s I had running, and I don’t seem to be able to generate the profile. I might be missing something simple, but I don’t know where else to look. Sorry if I’m doing something obviously wrong. Thanks.

Here is the command and the output of the journal

sudo podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:32 ls / > /dev/null

root@seccomp ~]# journalctl --since '2 minutes ago' | grep seccomp                                                                                                                           
Sep 01 17:31:12 seccomp audit[32794]: USER_ACCT pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localu
ser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'                                                                                                        
Sep 01 17:31:12 seccomp sudo[32794]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:32 ls         
Sep 01 17:31:12 seccomp audit[32794]: USER_CMD pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=706F646D616E2072756E202D2D616E6
E6F746174696F6E20696F2E636F6E7461696E6572732E74726163652D73797363616C6C3D6F663A2F746D702F6C732E6A736F6E206665646F72613A3332206C73 exe="/usr/bin/sudo" terminal=pts/0 res=success'             
Sep 01 17:31:12 seccomp audit[32794]: CRED_REFR pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd ac
ct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'                                                                                                              
Sep 01 17:31:12 seccomp sudo[32794]: pam_unix(sudo:session): session opened for user root by jkl92(uid=0)                                                                                     
Sep 01 17:31:12 seccomp audit[32794]: USER_START pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_
limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'                                                         
Sep 01 17:31:12 seccomp kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth109c450f: link becomes ready                                                                                               
Sep 01 17:31:12 seccomp kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready                                                                                                       
Sep 01 17:31:12 seccomp NetworkManager[764]: <info>  [1598995872.6598] device (veth109c450f): carrier: link connected                                                                         
Sep 01 17:31:12 seccomp NetworkManager[764]: <info>  [1598995872.6606] manager: (veth109c450f): new Veth device (/org/freedesktop/NetworkManager/Devices/9)
Sep 01 17:31:12 seccomp kernel: cni-podman0: port 2(veth109c450f) entered blocking state
Sep 01 17:31:12 seccomp kernel: cni-podman0: port 2(veth109c450f) entered disabled state
Sep 01 17:31:12 seccomp kernel: device veth109c450f entered promiscuous mode
Sep 01 17:31:12 seccomp kernel: cni-podman0: port 2(veth109c450f) entered blocking state
Sep 01 17:31:12 seccomp kernel: cni-podman0: port 2(veth109c450f) entered forwarding state
Sep 01 17:31:12 seccomp audit: ANOM_PROMISCUOUS dev=veth109c450f prom=256 old_prom=0 auid=1013 uid=0 gid=0 ses=1
Sep 01 17:31:12 seccomp systemd-udevd[32838]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Sep 01 17:31:12 seccomp systemd-udevd[32838]: Using default interface naming scheme 'v245'.
Sep 01 17:31:12 seccomp audit[32847]: NETFILTER_CFG table=nat family=2 entries=10 op=replace pid=32847 subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 comm="iptables"
Sep 01 17:31:12 seccomp audit[32849]: NETFILTER_CFG table=nat family=2 entries=12 op=replace pid=32849 subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 comm="iptables"
Sep 01 17:31:12 seccomp audit[32851]: NETFILTER_CFG table=nat family=2 entries=13 op=replace pid=32851 subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 comm="iptables"
Sep 01 17:31:12 seccomp audit[32853]: NETFILTER_CFG table=nat family=2 entries=14 op=replace pid=32853 subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 comm="iptables"
Sep 01 17:31:12 seccomp systemd[1]: Started libpod-conmon-3e6bc02ff2fed640a673bbafb814fa8588b2988e9a4a5fbd0ebc00a0aa91de28.scope.
Sep 01 17:31:12 seccomp systemd[1]: Started libcrun container.
Sep 01 17:31:12 seccomp systemd[1]: tmp-crun.Awfg20.mount: Succeeded.
Sep 01 17:31:12 seccomp systemd[961]: tmp-crun.Awfg20.mount: Succeeded.
Sep 01 17:31:12 seccomp systemd[1]: libpod-3e6bc02ff2fed640a673bbafb814fa8588b2988e9a4a5fbd0ebc00a0aa91de28.scope: Succeeded.
Sep 01 17:31:12 seccomp sudo[32794]: pam_unix(sudo:session): session closed for user root
Sep 01 17:31:12 seccomp audit[32794]: USER_END pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Sep 01 17:31:12 seccomp audit[32794]: CRED_DISP pid=32794 uid=0 auid=1013 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Sep 01 17:31:12 seccomp audit[32931]: NETFILTER_CFG table=nat family=2 entries=15 op=replace pid=32931 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32933]: NETFILTER_CFG table=nat family=2 entries=17 op=replace pid=32933 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32934]: NETFILTER_CFG table=nat family=2 entries=15 op=replace pid=32934 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32936]: NETFILTER_CFG table=nat family=2 entries=17 op=replace pid=32936 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32937]: NETFILTER_CFG table=nat family=10 entries=5 op=replace pid=32937 subj=unconfined_u:system_r:iptables_t:s0 comm="ip6tables"
Sep 01 17:31:13 seccomp audit[32939]: NETFILTER_CFG table=nat family=10 entries=7 op=replace pid=32939 subj=unconfined_u:system_r:iptables_t:s0 comm="ip6tables"
Sep 01 17:31:13 seccomp audit[32940]: NETFILTER_CFG table=nat family=10 entries=5 op=replace pid=32940 subj=unconfined_u:system_r:iptables_t:s0 comm="ip6tables"
Sep 01 17:31:13 seccomp audit[32942]: NETFILTER_CFG table=nat family=10 entries=7 op=replace pid=32942 subj=unconfined_u:system_r:iptables_t:s0 comm="ip6tables"
Sep 01 17:31:13 seccomp kernel: cni-podman0: port 2(veth109c450f) entered disabled state
Sep 01 17:31:13 seccomp kernel: device veth109c450f left promiscuous mode
Sep 01 17:31:13 seccomp kernel: cni-podman0: port 2(veth109c450f) entered disabled state
Sep 01 17:31:13 seccomp audit: ANOM_PROMISCUOUS dev=veth109c450f prom=0 old_prom=256 auid=1013 uid=0 gid=0 ses=1
Sep 01 17:31:13 seccomp NetworkManager[764]: <info>  [1598995873.0462] device (veth109c450f): released from master device cni-podman0
Sep 01 17:31:13 seccomp audit[32955]: NETFILTER_CFG table=nat family=2 entries=15 op=replace pid=32955 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32958]: NETFILTER_CFG table=nat family=2 entries=14 op=replace pid=32958 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp audit[32959]: NETFILTER_CFG table=nat family=2 entries=12 op=replace pid=32959 subj=unconfined_u:system_r:iptables_t:s0 comm="iptables"
Sep 01 17:31:13 seccomp systemd[961]: run-netns-cni\x2d7b8121a1\x2dfd92\x2da6f5\x2d44d1\x2dd090204332da.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[1]: run-netns-cni\x2d7b8121a1\x2dfd92\x2da6f5\x2d44d1\x2dd090204332da.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[1]: tmp-crun.Ap3I5u.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[961]: tmp-crun.Ap3I5u.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[961]: var-lib-containers-storage-overlay\x2dcontainers-3e6bc02ff2fed640a673bbafb814fa8588b2988e9a4a5fbd0ebc00a0aa91de28-userdata-shm.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[1]: var-lib-containers-storage-overlay\x2dcontainers-3e6bc02ff2fed640a673bbafb814fa8588b2988e9a4a5fbd0ebc00a0aa91de28-userdata-shm.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[961]: var-lib-containers-storage-overlay-1217e0819dff93f275a2718ea0adfbb9c17c54f9cc383aca3c724e2d2530db75-merged.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[1]: var-lib-containers-storage-overlay-1217e0819dff93f275a2718ea0adfbb9c17c54f9cc383aca3c724e2d2530db75-merged.mount: Succeeded.
Sep 01 17:31:13 seccomp systemd[1]: libpod-conmon-3e6bc02ff2fed640a673bbafb814fa8588b2988e9a4a5fbd0ebc00a0aa91de28.scope: Succeeded.

[root@seccomp ~]# ls /tmp/
systemd-private-0241899183c7408eabd29f70cc3adde0-chronyd.service-GGFMLf      systemd-private-0241899183c7408eabd29f70cc3adde0-ModemManager.service-H1tlri
systemd-private-0241899183c7408eabd29f70cc3adde0-dbus-broker.service-XSxsAh  systemd-private-0241899183c7408eabd29f70cc3adde0-systemd-logind.service-o51Szh
[root@seccomp ~]# find / -name ls.json
[root@seccomp ~]#

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 3
  • Comments: 30 (25 by maintainers)

Most upvoted comments

Thanks for reaching out, @jkl92!

Can you do a dnf install oci-seccomp-bpf-hook and try again? In the meantime, Fedora has package for the hook.

+1
vrothberg on Sep 7, 2020
Read more comments on GitHub
← netavark: static macvlan IP is duplicated after container restart
oci-seccomp-bpf-hook: hook should detect when running in a rootless context and give a meaningful error →