RFE: Support for addfd to secomp user notifier #380
Comments
|
Yeah, it would be good to have this in libseccomp. We currently use this as well in an open-coded version in LXD https://github.com/lxc/lxd/blob/98935b925c0caffc9d4a083c191671d553739313/lxd/seccomp/seccomp.go#L395 |
|
Thanks for the issue, this has been in the back of my mind but I haven't had the chance to work on it yet. Having this as an issue should help a bit. I've gone ahead and added it to the v2.6.0 milestone too. A quick word of caution if anyone else is looking into implementing this in libseccomp: before you simply copy the lxd code in Christian's reply, please note the license differences between the two projects. |
|
The seccomp selftests upstream also have the basic logic in there fwiw. |
The feature of addfd[1][2] allows the supervisor to install file descriptors into the intercepted task. By implementing this
feature via seccomp the supervisor effectively instructs the supervisee to install a set of file descriptors into its own file descriptor table during the intercepted syscall.
This feature is actullay used to accelerate the container network[3].
We want to need the support of addfd in libseccomp.
At first, I create the issue although @ManaSugi and I don't have enough time to implement it currently.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=7cf97b12545503992020796c74bd84078eb39299
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/seccomp.c?id=0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c
[3] https://github.com/rootless-containers/bypass4netns
The text was updated successfully, but these errors were encountered: