Gwtc java.io.IOException: operation not permitted - seccomp

Trying to run the GWT compiler (gwtc) inside a container, but on docker 1.11 it is crashing with

 [java] Caused by: java.io.IOException: Operation not permitted
 [java] 	at sun.nio.ch.FileDispatcherImpl.init(Native Method)
 [java] 	at sun.nio.ch.FileDispatcherImpl.<clinit>(FileDispatcherImpl.java:35)
 [java] 	... 79 more

I have confirmed that it is a seccomp issue by running the container unconfined. The build runs through successfully in this case:

$ sudo docker run --security-opt seccomp:unconfined -dp 8023:22 my-build

I captured an strace on both successful and unsuccessful runs from the host machine. I deliberately filtered out the flood of futex syscalls, just to make the output more readable. I then extracted the complete list of syscalls made during a successful run of gwtc.

$ sudo strace -fp 16131 -e 'trace=!futex' >strace.success 2>&1
$ gawk '/^\[pid/ && $3 ~ "^[a-z_]" {sub("\\(.*","",$3); print $3}' strace.success | sort | uniq

There are no syscalls in this strace of a successful build that are not listed in the default seccomp profile. The only syscall (being used in the successful build) that has any constraint on its arguments is clone, so I modified the default profile to allow all args as follows:

{
	"name": "clone",
	"action": "SCMP_ACT_ALLOW",
	"args": []
},

I ran the container with this modified seccomp profile, but no cigar:

$ sudo docker run --security-opt seccomp=seccomp.clone-allow-all-args.json -dp 8023:22 my-build

In the strace of the failed run, I noticed a number of lines of this form:

[pid 15687] syscall_4294967295(0x1, 0xc4460ab4, 0xc4460ba4, 0xffffffff, 0xc4463dc4, 0xc4463dc4 <unfinished ...>
[pid 15672] <... stat64 resumed> 0xf670b78c) = -1 ENOENT (No such file or directory)
[pid 15687] <... syscall_4294967295 resumed> ) = -1 (errno 1)

or

[pid 15687] syscall_4294967295(0x1, 0xc4462754, 0x1, 0x2, 0x1, 0xc4462788) = -1 (errno 1)

Does this represent some syscall that has been rejected by seccomp? Which syscall might it be?

Grepping the successful strace for syscalls with 6 parameters (ie. 5 commas), I get this list, all of which are whitelisted with unconstrained args in the default seccomp profile:

bind
connect
getsockname
recvfrom
recvmsg
sendmmsg
sendto

So far I am defeated. The only way I can get gwtc to run is by turning seccomp off completely (“unconfined”), which doesn’t seem ideal.

Suggestions?

Server Version: 1.11.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Kernel Version: 4.4.0-22-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64

Does anyone have a fully-permissive seccomp profile that I could try?

I attempted this myself, getting a list of syscalls from arch/x86/entry/syscalls/syscall_64.tbl, and merging it with the default seccomp profile, but still no joy.

Promisingly, there is a pull request on docker to reinstate the --cap-add functionality in the presence of the default seccomp profile:

Align default seccomp profile with selected capabilities by justincormack

I will just live with seccomp=unconfined until this one is available.