Skip to content

Comments

Prevent openat from trapping on seccomp thread, by making it return EACCES instead#573

Merged
ludfjig merged 2 commits intohyperlight-dev:mainfrom
ludfjig:openat
Jun 6, 2025
Merged

Prevent openat from trapping on seccomp thread, by making it return EACCES instead#573
ludfjig merged 2 commits intohyperlight-dev:mainfrom
ludfjig:openat

Conversation

@ludfjig
Copy link
Contributor

@ludfjig ludfjig commented Jun 5, 2025
edited
Loading

We have seen CI being flaky due to a sporatic openat syscall. Turns out (g)libc can try to open /proc/sys/vm/overcommit_memory during a call to free().

This PRs makes openat return EACCES rather than trap.

An alternative solution I tried is to "prime" malloc/free before applying the seccompfilter, but that didn't work.

Closes #175

@ludfjig ludfjig added the kind/bugfix For PRs that fix bugs label Jun 5, 2025
@ludfjig
Prevent openat from trapping on seccomp thread, by making it return E…
954be40 
…ACCES instead

Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
jprendes
jprendes reviewed Jun 5, 2025
View reviewed changes
@ludfjig
Allow openat to be allowed if specified in extra_allowed_syscalls
36b5335 
Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
jprendes
jprendes approved these changes Jun 5, 2025
View reviewed changes
Copy link
Contributor

@jprendes jprendes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ludfjig ludfjig merged commit d74a279 into hyperlight-dev:main Jun 6, 2025
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jprendes jprendes jprendes approved these changes

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@marosset marosset Awaiting requested review from marosset marosset is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

Assignees

No one assigned

Labels

kind/bugfix For PRs that fix bugs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI instability: openat(2) where we don't expect it

2 participants

@ludfjig @jprendes