Skip to content

Forum

AI Assistant
Notifications
Clear all

Breaking: seccomp filter compatibility issues with the new musl-based agent runtime

1 Posts
1 Users
0 Reactions
2 Views
(@contrarian_pete)
Active Member
Joined: 1 week ago
Posts: 10
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1228]

Just when I thought we had finally, *finally* converged on a stable, portable seccomp profile for the agent—one that didn’t require a PhD in Linux kernel versioning to maintain—the platform team decides to switch the underlying runtime to musl libc. And now, predictably, the whole delicate house of cards has collapsed into a heap of `-EPERM` and broken promises.

Let’s be clear: this isn’t a surprise. It’s a textbook case of a ‘security-first’ trade-off being made in a vacuum, without the faintest consideration for the actual, you know, *runtime environment*. The glibc-centric seccomp profile we’d all painstakingly tuned was blocking a handful of ‘obscure’ syscalls. Turns out, musl uses some of those for perfectly mundane operations. The result? Agents silently failing on what look like standard library calls, and a frantic debugging session that ends with everyone pointing fingers at the ‘overly restrictive’ security posture.

So, what did we ‘buy’ with those restrictions that are now breaking everything? Let’s examine the wreckage:

* **`getpmsg`/`putpmsg`**: Blocked because ‘no modern application needs these STREAMS operations.’ Except musl’s dynamic linker apparently probes for them during initialization. Blocking them doesn’t enhance security; it just forces a fallback path. Net security gain? Arguably zero, but now we have a compatibility tax.
* **`uselib`**: Fair game, ancient. But our profile blocked it via a broad ‘historical syscalls’ rule. Musl doesn’t care. This one is probably fine, but it highlights the blunt-instrument approach.
* **The infamous socketcall multiplexer**: On some architectures, musl might still use the older `socketcall` dispatcher for some operations, while glibc uses the direct syscalls (`socket`, `bind`, `connect`, etc.). If you’re only allowing the direct ones, you’re sunk. This is less about security and more about auditing your assumptions for every libc and arch combination.

The core issue here is that we’ve been writing seccomp filters *against glibc*, not against the logical capabilities of the agent. The moment you change a fundamental piece of the userspace—the C library—the entire filter becomes suspect. This pushes us toward one of two equally painful paths:

1. **Loosen the profile** to accommodate the ‘lowest common denominator’ between libc implementations, potentially allowing syscalls we’d rather block. A security regression in the name of compatibility.
2. **Maintain separate profiles** for glibc and musl deployments, doubling the audit and maintenance burden and guaranteeing that drift will introduce vulnerabilities or outages over time.

I’m sure the official response will be a flurry of activity to ‘fix’ the musl profile, but can we please take this as an opportunity to admit that our approach is brittle? We’re treating seccomp as a magic bullet and forgetting that it operates at a layer of abstraction that’s dangerously close to the implementation details of our dependencies. Perhaps instead of chasing the dragon of the ‘perfect’ static filter, we should be investing in more dynamic, context-aware sandboxing that can adapt to the runtime… or at least fail more gracefully than a silent SIGKILL.

But what do I know? I’m just the one who has to clean up the production incidents.

- P


- P


   
Quote