statx syscall not working correctly with DinD

[Psy-Kai]

The following bug occurs when starting a container in a DinD container:
When starting a container, you cannot use statx syscall. Starting the container in privileged mode you can use the statx syscall. I tried to pass a seccomp profile file to whitelist the statx call but it wont work.

The DinD container was started in privileged mode.

[tianon]

I wonder if this is related to moby/moby#36417, especially moby/moby#36417 (comment):

I tried to emulate this case by whitelisting the fake syscall nonsense and got no error message. The container started as intended. Furthermore, the seccomp filter still seems to work as I got EPERM on a non whitelisted syscall.

So, it's probably not possible for Docker to whitelist the statx syscall without a new enough libseccomp that supports doing so (regardless of what your profile states).

[Psy-Kai]

Calling statx in a container works since Docker verison 18.04 without privileged mode. But it wont work in a container running in a DinD container.

[tianon]

Right, the libseccomp that's compiled statically into the official Docker binaries we consume (from https://download.docker.com/linux/static/) probably isn't new enough.

[Psy-Kai]

You are right. Using docker from the arch repository works fine. The version from https://download.docker.com/linux/static/edge/x86_64/docker-18.05.0-ce.tgz does not work.

[tianon]

Cool, glad we got it figured out -- however, I don't think there's much we can do about this here.

@thaJeztah is there somewhere we ought to file this? Do you think it's conceivable to update libseccomp in those static binaries?

[thaJeztah]

@tianon definitely worth opening an issue for; I guess this is due to Debian stretch being somewhat behind