-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Support for addfd to secomp user notifier #380
Comments
Yeah, it would be good to have this in libseccomp. We currently use this as well in an open-coded version in LXD https://github.com/lxc/lxd/blob/98935b925c0caffc9d4a083c191671d553739313/lxd/seccomp/seccomp.go#L395 |
Thanks for the issue, this has been in the back of my mind but I haven't had the chance to work on it yet. Having this as an issue should help a bit. I've gone ahead and added it to the v2.6.0 milestone too. A quick word of caution if anyone else is looking into implementing this in libseccomp: before you simply copy the lxd code in Christian's reply, please note the license differences between the two projects. |
The seccomp selftests upstream also have the basic logic in there fwiw. |
The feature of addfd[1][2] allows the supervisor to install file descriptors into the intercepted task. By implementing this
feature via seccomp the supervisor effectively instructs the supervisee to install a set of file descriptors into its own file descriptor table during the intercepted syscall.
This feature is actullay used to accelerate the container network[3].
We want to need the support of addfd in libseccomp.
At first, I create the issue although @ManaSugi and I don't have enough time to implement it currently.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=7cf97b12545503992020796c74bd84078eb39299
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c
[3] https://github.com/rootless-containers/bypass4netns
The text was updated successfully, but these errors were encountered: