From e653176be184110d45c0a7d7ac1de0fec73bc0ca Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Fri, 15 Aug 2025 12:50:03 -0700 Subject: [PATCH] Drop sched_getaffinity from sentry syscall filters As of https://go.dev/cl/677037, runtime.GOMAXPROCS guarantees that sched_getaffinity will not be called after returning. Thus it is safe to drop from the syscall filters, as the sentry always sets a custom GOMAXPROCS. The gofer keeps the filter, as it doesn't set a custom GOMAXPROCS. PiperOrigin-RevId: 795577263 --- runsc/boot/filter/config/config_main.go | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/runsc/boot/filter/config/config_main.go b/runsc/boot/filter/config/config_main.go index a0a3747ab7..0f9fe8b50b 100644 --- a/runsc/boot/filter/config/config_main.go +++ b/runsc/boot/filter/config/config_main.go @@ -263,22 +263,7 @@ var allowedSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ unix.SYS_RT_SIGACTION: seccomp.MatchAll{}, unix.SYS_RT_SIGPROCMASK: seccomp.MatchAll{}, unix.SYS_RT_SIGRETURN: seccomp.MatchAll{}, - // TODO(go.dev/issue/73193): sched_getaffinity is used by Go's - // automatic GOMAXPROCS updater. The runtime.GOMAXPROCS call in - // boot.New explicitly disables this updater. Currently - // runtime.GOMAXPROCS guarantees that the updater will not change - // GOMAXPROCS after runtime.GOMAXPROCS return. However, it does not - // guarantee that a concurrent update run will not perform the system - // call after runtime.GOMAXPROCS returns. So there is a tiny probability - // that we will manage to install filters before such a concurrent run - // calls sched_getaffinity. - // - // The Go runtime should make a stronger guarantee. Until then, allow the - // syscall. - unix.SYS_SCHED_GETAFFINITY: seccomp.PerArg{ - seccomp.EqualTo(0), - }, - unix.SYS_SCHED_YIELD: seccomp.MatchAll{}, + unix.SYS_SCHED_YIELD: seccomp.MatchAll{}, unix.SYS_SENDMSG: seccomp.PerArg{ seccomp.AnyValue{}, seccomp.AnyValue{},