Merge pull request #5172 from kolyshkin/seccomp-wait-kill

Support specs.LinuxSeccompFlagWaitKillableRecv

Author: AkihiroSuda

CHANGELOG.md

@@ -136,6 +136,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 [debian-armhf]: https://wiki.debian.org/ArmHardFloatPort
 
+### Added ###
+- Support for specs.LinuxSeccompFlagWaitKillableRecv. (#5172)
+
 ## [1.4.0] - 2025-11-27
 
 > 路漫漫其修远兮，吾将上下而求索！

docs/spec-conformance.md

@@ -3,12 +3,6 @@
 This branch of runc implements the [OCI Runtime Spec v1.3.0](https://github.com/opencontainers/runtime-spec/tree/v1.3.0)
 for the `linux` platform.
 
-The following features are not implemented yet:
-
-Spec version | Feature                                        | PR
--------------|------------------------------------------------|----------------------------------------------------------
-v1.1.0       | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`       | [#3862](https://github.com/opencontainers/runc/pull/3862)
-
 ## Architectures
 
 The following architectures are supported:

libcontainer/seccomp/config.go

@@ -109,6 +109,7 @@ var flags = []string{
 	flagTsync,
 	string(specs.LinuxSeccompFlagSpecAllow),
 	string(specs.LinuxSeccompFlagLog),
+	string(specs.LinuxSeccompFlagWaitKillableRecv),
 }
 
 // KnownFlags returns the list of the known filter flags.

libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -51,6 +51,11 @@ const uintptr_t C_FILTER_FLAG_SPEC_ALLOW = SECCOMP_FILTER_FLAG_SPEC_ALLOW;
 #endif
 const uintptr_t C_FILTER_FLAG_NEW_LISTENER = SECCOMP_FILTER_FLAG_NEW_LISTENER;
 
+#ifndef SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
+#	define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (1UL << 5)
+#endif
+const uintptr_t C_FILTER_FLAG_WAIT_KILLABLE_RECV = SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV;
+
 #ifndef AUDIT_ARCH_RISCV64
 #ifndef EM_RISCV
 #define EM_RISCV		243
@@ -667,6 +672,13 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags
 			flags |= uint(C.C_FILTER_FLAG_SPEC_ALLOW)
 		}
 	}
+	if apiLevel >= 7 {
+		if waitKill, err := filter.GetWaitKill(); err != nil {
+			return 0, false, fmt.Errorf("unable to fetch SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV bit: %w", err)
+		} else if waitKill {
+			flags |= uint(C.C_FILTER_FLAG_WAIT_KILLABLE_RECV)
+		}
+	}
 	// XXX: add newly supported filter flags above this line.
 
 	for _, call := range config.Syscalls {

libcontainer/seccomp/seccomp_linux.go

@@ -159,6 +159,11 @@ func setFlag(filter *libseccomp.ScmpFilter, flag specs.LinuxSeccompFlag) error {
 			return fmt.Errorf("error adding SSB flag to seccomp filter: %w", err)
 		}
 		return nil
+	case specs.LinuxSeccompFlagWaitKillableRecv:
+		if err := filter.SetWaitKill(true); err != nil {
+			return fmt.Errorf("error adding WaitKill flag to seccomp filter: %w", err)
+		}
+		return nil
 	}
 	// NOTE when adding more flags above, do not forget to also:
 	// - add new flags to `flags` slice in config.go;

tests/integration/seccomp-notify.bats

@@ -58,6 +58,27 @@ function scmp_act_notify_template() {
 	[ "$status" -eq 0 ]
 }
 
+@test "runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)" {
+	scmp_act_notify_template "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" false '"mkdir"'
+	update_config '.linux.seccomp.flags = [ "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" ]'
+
+	runc --debug run test_busybox
+	if [ "$status" -ne 0 ]; then
+		# Older libseccomp or kernel?
+		if [[ "$output" == *"error adding WaitKill flag to seccomp filter: SetWaitKill requires "* ]]; then
+			skip "$(sed -e 's/^.*SetWaitKill //' -e 's/" func=.*$//' <<<"$output")"
+		fi
+		# Otherwise, fail.
+		[ "$status" -eq 0 ]
+	fi
+	# Check the numeric flags value, as printed in the debug log, is as expected.
+	# 32: SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
+	#  8: SECCOMP_FILTER_FLAG_NEW_LISTENER
+	exp='"seccomp filter flags: 40"'
+	echo "expecting $exp"
+	[[ "$output" == *"$exp"* ]]
+}
+
 # Test actions not-handled by the agent work fine. noNewPrivileges FALSE.
 @test "runc exec [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges false)" {
 	requires root

tests/integration/seccomp.bats

@@ -102,8 +102,11 @@ function flags_value() {
 
 	# Get the list of flags supported by runc/seccomp/kernel,
 	# or "null" if no flags are supported or runc is too old.
+	#
+	# Filter out WAIT_KILLABLE_RECV as it requires a listener,
+	# and thus tested separately in seccomp-notify.bats.
 	mapfile -t flags < <(__runc features | jq -c '.linux.seccomp.supportedFlags' |
-		tr -d '[]\n' | tr ',' '\n')
+		tr -d '[]\n' | tr ',' '\n' | grep -v 'WAIT_KILLABLE_RECV')
 
 	# This is a set of all possible flag combinations to test.
 	declare -A TEST_CASES=(