seccomp.Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags #42648
Conversation
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Add test to verify profile validation, and to verify that the legacy format actually loads the profile as expected (instead of only verifying it doesn't produce an error). Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added
status/2-code-review
kind/enhancement
|
Doh! Forgot to update two existing tests that check for the error that's returned; Perhaps those tests are a bit redundant now, but let me update them. |
Make the error message slightly more informative, and remove the redundant `len(config.ArchMap) != 0` check, as iterating over an empty, or 'nil' slice is a no-op already. This allows to use a slightly more idiomatic "if ok := xx; ok" condition. Also move validation to the start of the loop (early return), and explicitly create a new slice for "names" if the legacy "Name" field is used. Signed-off-by: Sebastiaan van Stijn <[email protected]>
…p flags This patch, similar to d927397, embeds the `LinuxSeccomp` type of the runtime-spec, so that we can support all options provided by the spec, and decorates it with our own fields. With this, profiles can make use of the recently added "Flags" field, to specify flags that must be passed to seccomp(2) when installing the filter. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
seccomp_closer_to_oci
branch
from
b7d6305
to
0ef7e72
Compare
|
@tianon this one good to go? |
|
@thaJeztah have you tested this? Overall looks good, but AFAIK runc doesn't support specifying seccomp flags. Here it fails if flags are specified. I just tested a runc container with flags, just in case, and indeed it throws that error. Have you tested this with runc? Or is the idea to use another OCI runtime with this? |
|
Correct; this won't work (yet) with the current version of runc. (haven't checked if other runtimes, such as crun already support it). We should probably call that out in the changelog ("for runtimes that support it"), but otherwise I think it should be ok to have this in, as it's not used by default, and if the user updates to a version of the runtime that supports it, they can use a profile with this feature set. /cc @tianon @samuelkarp in case you think we should disable the functionality pending the above |
Fixes #42619 (Feature request: ability to set SECCOMP_FILTER_FLAG_SPEC_ALLOW in seccomp profiles)
seccomp: improve GoDoc for Seccomp fields
seccomp: use oci-spec consts in tests
seccomp: add additional unit-tests
Add test to verify profile validation, and to verify that the legacy format actually loads the profile as expected (instead of only verifying it doesn't produce an error).
seccomp: setupSeccomp(): update errors and remove redundant check
Make the error message slightly more informative, and remove the redundant
len(config.ArchMap) != 0check, as iterating over an empty, or 'nil' slice is a no-op already. This allows to use a slightly more idiomatic "if ok := xx; ok" condition.Also move validation to the start of the loop (early return), and explicitly create a new slice for "names" if the legacy "Name" field is used.
seccomp: Seccomp: embed oci-spec Seccomp, add support for seccomp flags
This patch, similar to d927397 (Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" #42005), embeds the type of the runtime-spec, so that we can support all options provided by the spec, and decorates it with our own fields.
With this, profiles can make use of the recently added "Flags" field, to specify flags that must be passed to seccomp(2) when installing the filter.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)