oci-seccomp-bpf-hook: hook should detect when running in a rootless context and give a meaningful error

# podman run --rm --log-level=info --hooks-dir /usr/share/containers/oci/hooks.d --security-opt label=disable --annotation io.containers.trace-syscall='of:/tmp/foo.json'  -it  bash sh -c 'ls -al'
INFO[0000] podman filtering at log level info           
INFO[0000] Found CNI network podman (type=bridge) at /home/bernhard/.config/cni/net.d/87-podman.conflist 
INFO[0000] Setting parallel job count to 25             
INFO[0000] Running conmon under slice user.slice and unitName libpod-conmon-ff907b2f6f7c482f5a49a6823c9fbf468b7f3041f3e48db2aad9ca0bfeacb16c.scope 
Error: OCI runtime error: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1)

Note that the last lane is delayed by roughly 5~10 seconds

# /usr/share/containers/oci/hooks.d/oci-seccomp-bpf-hook.json
{
    "version": "1.0.0",
    "hook": {
        "path": "/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook",
        "args": [
            "oci-seccomp-bpf-hook",
            "-s"
        ]
    },
    "when": {
        "annotations": {
            "^io\\.containers\\.trace-syscall$": ".*"
        }
    },
    "stages": [
        "prestart"
    ]
}

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 16 (7 by maintainers)

Commits related to this issue

check root privileges Throw an error when the hook isn't executed as root. Fixes: #103 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com> — committed to vrothberg/oci-seccomp-bpf-hook by vrothberg a year ago

Most upvoted comments

Ah, that makes sense. The hook must be run as root at the present. I did not follow the rootless BPF progress in detail but it’s likely not being enabled on most distributions.

I will rename the issue. The hook should be able to detect whether it’s running in a rootless context or not.

vrothberg on Sep 8, 2022