Incorrect generated seccomp profile for ASP.NET Core app

[mthalman]

Expected Behavior

Running docker-slim build on an ASP.NET Core application should produce a seccomp profile that can be successfully used when running the container.

---

Actual Behavior

Attempting to use the generated seccomp profile results in a failure to start the container. This is because the syscalls contained in the seccomp profile is missing fstatfs.

---

Steps to Reproduce the Problem

1. git clone https://github.com/dotnet/dotnet-docker.git

2. cd dotnet-docker/samples/aspnetapp

3. docker-slim build --dockerfile Dockerfile.debian-x64-slim --expose 80 --copy-meta-artifacts artifacts --tag-fat app --tag app.min .

4. docker run --rm -it -p 8000:80 --security-opt seccomp=artifacts/app-seccomp.json app.min

   Failure Result:

   docker: Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: close exec fds: ensure /proc/self/fd is on procfs: operation not permitted: unknown.
   

5. Open the artifacts/app-seccomp.json file in a text editor.

6. Add fstatfs to the list of syscall names and save the file.

7. docker run --rm -it -p 8000:80 --security-opt seccomp=artifacts/app-seccomp.json app.min

   Successful Result:

   warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
         Storing keys in a directory '/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
   warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
         No XML encryptor configured. Key {c31322cc-fec6-4a7a-9dbf-3798a9e5db7c} may be persisted to storage in unencrypted form.
   info: Microsoft.Hosting.Lifetime[0]
         Now listening on: http://[::]:80
   info: Microsoft.Hosting.Lifetime[0]
         Application started. Press Ctrl+C to shut down.
   info: Microsoft.Hosting.Lifetime[0]
         Hosting environment: Production
   info: Microsoft.Hosting.Lifetime[0]
         Content root path: /app
   

---

Specifications

• Version: docker-slim version linux|Transformer|1.34.0|a5cb54043b3ab3cf747165aad745f19db680434e|2021-01-29_10:00:49PM
• Platform: Ubuntu 20.04

[kcq]

@mthalman I'll try to repro the condition. Had a few challeges with the dotnet samples... I might need your help if you don't mind :) What's your preferred way to communicate?

[mthalman]

Twitter? @matt_tman

[jgibson2]

@kcq I am having the same issue. Version output:

% ~/opt/docker-slim/docker-slim version
cmd=version info=app version='darwin|Transformer|1.36.1|d8f2be23d44bf9f96c5f1f7e970c739106d17996|2021-06-21_03:24:08AM' container=false dsimage=false
cmd=version info=app outdated=false current=1.36.1 verdict='you have the latest version'
cmd=version info=app location='/Users/jgibson/opt/docker-slim'
cmd=version info=host osname='Catalina (10.15.6)'
cmd=version info=host osbuild=19H1030
cmd=version info=host version=' Mon Apr 12 20:57:45 PDT 2021; root:xnu-6153.141.28.1~1/RELEASE_X86_64'
cmd=version info=host release=19.6.0
cmd=version info=host sysname=darwin
cmd=version info=docker name=docker-desktop
cmd=version info=docker kernel_version=5.10.25-linuxkit
cmd=version info=docker operating_system=Docker Desktop
cmd=version info=docker ostype=linux
cmd=version info=docker server_version=20.10.5
cmd=version info=docker architecture=x86_64
cmd=version info=dclient api_version=1.41
cmd=version info=dclient min_api_version=1.12
cmd=version info=dclient build_time=2021-03-02T20:15:47.000000000+00:00
cmd=version info=dclient git_commit=363e9a8

In my case, docker-slim build was not picking up the fstatfs or chmod calls, but adding those calls allowed the container to run.

[jgibson2]

Steps to reproduce:

% docker pull python:3.9.5-buster
<docker pull output>

% ~/opt/docker-slim/docker-slim build --target python:3.9.5-buster --http-probe=false --exec "python3 --version"
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
cmd=build info=exec message='changing continue-after from probe to nothing because http-probe is disabled'
cmd=build info=exec message='updating continue-after mode to exec'
cmd=build state=started
cmd=build info=params target='python:3.9.5-buster' continue.mode='exec' rt.as.user='true' keep.perms='true' tags=''
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:9b0d330dfd02b60939072b19a42eedf31064bc32ae642d4fca7468778421c787' size.bytes='885904109' size.human='886 MB'
cmd=build info=image.stack index='0' name='python:3.9.5-buster' id='sha256:9b0d330dfd02b60939072b19a42eedf31064bc32ae642d4fca7468778421c787'
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_89270_20210630193831' id='1e86c1f808ed5c3a61ed581e23fc5c44b1da72d1b8a99f8e7b817c6159f16927'
cmd=build info=cmd.startmonitor status='sent'
cmd=build info=event.startmonitor.done status='received'
cmd=build info=container name='dockerslimk_89270_20210630193831' id='1e86c1f808ed5c3a61ed581e23fc5c44b1da72d1b8a99f8e7b817c6159f16927' target.port.list='' target.port.info='' message='YOU CAN USE THESE PORTS TO INTERACT WITH THE CONTAINER'
cmd=build info=continue.after mode='exec' message='provide the expected input to allow the container inspector to continue its execution'
cmd=build info=continue.after mode='exec' shell='python3 --version'
docker-slim[build][exec]: output: Python 3.9.5
cmd=build info=continue.after mode='exec' exitcode='0'
cmd=build state=container.inspection.finishing
cmd=build state=container.inspection.artifact.processing
cmd=build state=container.inspection.done
cmd=build state=building message=building optimized image
cmd=build state=completed
cmd=build info=results by='34.25X' size.original='886 MB' size.optimized='26 MB' status='MINIFIED'
cmd=build info=results image.name='python.slim' image.size='26 MB' has.data='true'
cmd=build info=results artifacts.location='/Users/jgibson/opt/docker-slim/.docker-slim-state/images/9b0d330dfd02b60939072b19a42eedf31064bc32ae642d4fca7468778421c787/artifacts'
cmd=build info=results artifacts.report='creport.json'
cmd=build info=results artifacts.dockerfile.reversed='Dockerfile.fat'
cmd=build info=results artifacts.dockerfile.optimized='Dockerfile'
cmd=build info=results artifacts.seccomp='python-seccomp.json'
cmd=build info=results artifacts.apparmor='python-apparmor-profile'
cmd=build state=done
cmd=build info=commands message='use the xray command to learn more about the optimize image'
cmd=build info=report file='slim.report.json'
docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'

% docker run -it python:3.9.5-buster python3 --version
Python 3.9.5

% docker run --security-opt seccomp:/Users/jgibson/opt/docker-slim/.docker-slim-state/images/9b0d330dfd02b60939072b19a42eedf31064bc32ae642d4fca7468778421c787/artifacts/python-seccomp.json -it python:3.9.5-buster python3 --version
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: close exec fds: ensure /proc/self/fd is on procfs: operation not permitted: unknown.
ERRO[0000] error waiting for container: context canceled

Note: chmod is not required for this to run correctly, but for my other application it was not being picked up.

[InnovativeInventor]

I can reproduce this as well (different image, though)! Adding fstatfs to the list of allowed syscalls worked for me.

[kcq]

@InnovativeInventor do you have a repro you can share? are you using the --exec param? One thing to keep in mind with the --exec param is that whatever you execute there won't be included in the list of syscalls reported back to the main app.

[InnovativeInventor]

Unfortunately, I can't share the image I reproduced this bug on. However, I was using the --exec param, so that may be the issue (although I think the default entrypoint for the image I was running docker-slim should have used all the necessary syscalls that are being used in prod).

[DavideRutigliano]

Hi,

Following up on this discussion, I am having the same issue on several images (I am using SUSE linux but can't share images either).

Expected Behavior

Container is able to start using the auto-generated seccomp profile.

Actual Behavior

Container does not start throwing following error:

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error closing exec fds: ensure /proc/self/fd is on procfs: operation not permitted: unknown.

Solution

Solved by adding fstatfs syscall in seccomp profile list of allowed system calls.

Specifications

• docker-slim version: linux|Transformer|1.38.0|937cad81bc1b1be05e7fc3cf0f6259c4a1f3a452|2022-08-28_05:51:34AM
• platform: Ubuntu 20.04.4 LTS

Request

Given that this problem is common to several users, can this manual addition (fstatfs syscall) be automated? (or any workaround available to avoid manual modification of the profile?)

[kcq]

@DavideRutigliano confirming where the call is coming from to find the right place for it. Either way, will add it. Will update soon.