Update libseccomp without imposing Linux 5.7 requirement (seccomp API level 6)

[Furisto]

Bug description

We encountered an issue in staging and preview environments where workspaces could not start up successfully. This issue popped up after #7657 was introduced. The change was reverted here. This only happened in the preview and staging environments which are running kernel version 5.4, but not in production which is running 5.13.

Kernel 5.4 has libseccomp api level 5 while 5.13 has api level 6. The first kernel version to support api level 6 is 5.7. A kernel has supports libseccomp api level 6 if it supports SECCOMP_FILTER_FLAG_TSYNC_ESRCH.

{"level":"info","message":"signaling to child process","ring":1,"serviceContext":{"service":"workspacekit","version":"commit-c9cebdd0ef6cd7cc09456a24a48afd4ebe82d085"},"severity":"INFO","time":"2022-01-20T10:11:12Z"}
{"level":"info","message":"awaiting seccomp fd","ring":1,"serviceContext":{"service":"workspacekit","version":"commit-c9cebdd0ef6cd7cc09456a24a48afd4ebe82d085"},"severity":"INFO","time":"2022-01-20T10:11:12Z"}
{"@type":"type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent","error":"cannot add rule for bind:\n    github.com/gitpod-io/gitpod/workspacekit/pkg/seccomp.LoadFilter\n        /tmp/build/components-workspacekit--app.e12d4c33816c4ea1bcaadffc719ca0288d37780e/pkg/seccomp/notify.go:86\n  - two checks on same syscall argument","level":"error","message":"cannot load seccomp filter - syscall handling would be broken","ring":2,"serviceContext":{"service":"workspacekit","version":"commit-c9cebdd0ef6cd7cc09456a24a48afd4ebe82d085"},"severity":"ERROR","time":"2022-01-20T10:11:12Z"}

Steps to reproduce

Apply #7657 to kernel < 5.7

Workspace affected

n.a.

Expected behavior

Workspaces starting successfully.

Example repository

n.a.

Anything else?

See https://gitpod.slack.com/archives/C01KGM9AW4W/p1642679350077600

How to test

Short term

1. Make sure to test in core-dev (GKE & K8s) and workspace-preview (K3s).

Long term

1. Once core-dev is gone, we'll need to change the kernel version in workspace-preview, if we are to test against a kernel that is like the one used in GKE.

echo "deb http://security.ubuntu.com/ubuntu focal-security main " >>/etc/apt/sources.list
linux-gke linux-gke-headers-5.4.0-1059 linux-gke-tools-5.4.0-1059 linux-headers-5.4.0-1059-gke linux-image-5.4.0-1059-gke linux-image-gke linux-modules-5.4.0-1059-gke linux-modules-extra-5.4.0-1059-gke linux-tools-5.4.0-1059-gke

[utam0k]

Why do we need to use kinvolk/libseccomp-golang?

This is because we want to use the seccomp notify feature. We use seccomp notify when the proc mount system call, we make the target path change in userspace. So if seccomp notify doesn't work properly, we can't mount the proc.
https://github.com/gitpod-io/gitpod/blob/main/components/workspacekit/pkg/seccomp/notify.go

Why do we need to upgrade the version of kinvolk/libseccomp-golang?

The libseccomp-go that we are currently using has a bug regarding seccomp notify. It is probably fixed in this commit.
https://github.com/kinvolk/libseccomp-golang/commit/3879420cc921efb4f1a2d75bea84e6158ef21a78

Normally, we should re-execute the corresponding system call when we get an error code of EINTR, but that process was missing in libseccomp-go. The above commit is the fix. Probably because of this bug, seccomp notify was not working properly, so the proc mount was not working properly.

https://man7.org/linux/man-pages/man7/signal.7.html

In certain circumstances, the seccomp(2) user-space notification feature can lead to restarting of system calls that would otherwise never be restarted by SA_RESTART; for details, see seccomp_unotify(2).

https://man7.org/linux/man-pages/man3/errno.3.html

EINTR 4 Interrupted system call

Why can't we update kinvolk/libseccomp-golang?

This is because the kernel version needs to be upgraded as outlined in the issue.

What should we do?

So, we can fork kinvolk/libseccomp-golang and apply the above commit to the version we want to use, to avoid this problem. This way, we won't get caught up in the seccomp API level-up.
https://github.com/gitpod-io/libseccomp-golang

[Furisto]

• Applying commit kinvolk/libseccomp-golang@3879420 won't do as any good as we are using a development version of the kinvolk library which already has these changes.
• Using the latest version from the main branch also does not fix the issue
• Switching the shift method from fuse to shifts however does work