Merge pull request #74 from bytedance/refactor-seccomp-enforcer

Refactor seccomp enforcer

docs/interface_instructions.md

@@ -18,7 +18,7 @@ English | [简体中文](interface_instructions.zh_CN.md)
 |      ||vulMitigationRules<br>*string array*|Optional. VulMitigationRules are used to specify the built-in vulnerability mitigation rules, please refer to the [Built-in Rules](built_in_rules.md).
 |      ||appArmorRawRules<br>*string array*|Optional. AppArmorRawRules is used to set custom AppArmor rules, each rule must end with a comma, please refer to the [AppArmor Syntax](interface_instructions.md#apparmor-enforcer).
 |      ||bpfRawRules<br>*[BpfRawRules](interface_instructions.md#bpfrawrules) array*|Optional. BpfRawRules is used to set custom BPF rules.
-|      ||syscallRawRules<br>*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/runtime-spec@v1.1.0/specs-go#LinuxSyscall) array*|Optional. SyscallRawRules is used to set the syscalls blocklist rules with Seccomp enforcer.
+|      ||syscallRawRules<br>*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/runtime-spec@v1.1.0/specs-go#LinuxSyscall) array*|Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to [this document](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) to create custom rules.
 |      ||privileged<br>*bool*|Optional. Privileged is used to identify whether the policy is for the privileged container. If set to `nil` or `false`, vArmor will build AppArmor or BPF profiles on top of the **RuntimeDefault** mode. Otherwise, it will build AppArmor or BPF profiles on top of the **AlwaysAllow** mode. (Default: false)<br><br>Note: If set to `true`, vArmor will not build Seccomp profile for the target workloads.
 |      |modelingOptions|duration<br>*int*|[Experimental] Duration is the duration in minutes to modeling. 
 |updateExistingWorkloads<br>*bool*|-|-|Optional. UpdateExistingWorkloads is used to indicate whether to perform a rolling update on target existing workloads, thus enabling or disabling the protection of the target workloads when policies are created or deleted. (Default: false)<br><br>Note: vArmor only performs a rolling update on Deployment, StatefulSet, or DaemonSet type workloads. If `.spec.target.kind` is Pod, you need to rebuild the Pod yourself to enable or disable protection.

docs/interface_instructions.zh_CN.md

@@ -17,7 +17,7 @@
 |      ||vulMitigationRules<br>*string array*|可选字段，用于指定要使用的内置规则，详见 [内置规则](built_in_rules.zh_CN.md)
 |      ||appArmorRawRules<br>*string array*|可选字段，用于设置自定义的 AppArmor 黑名单规则，参见 [AppArmor 语法](interface_instructions.zh_CN.md#apparmor-enforcer)
 |      ||bpfRawRules<br>*[BpfRawRules](interface_instructions.zh_CN.md#bpfrawrules) array*|可选字段，用于支持用户设置自定义的 BPF 黑名单规则
-|      ||syscallRawRules<br>*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/runtime-spec@v1.1.0/specs-go#LinuxSyscall) array*|可选字段，用于支持用户使用 Seccomp enforcer 设置自定义的 Syscall 黑名单规则
+|      ||syscallRawRules<br>*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/runtime-spec@v1.1.0/specs-go#LinuxSyscall) array*|可选字段，用于支持用户使用 Seccomp enforcer 设置自定义的 Syscall 黑名单规则。请参考[此文档](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp)来制定自定义规则。
 |      ||privileged<br>*bool*|可选字段，若要对特权容器进行加固，请务必将此值设置为 true。若为 `false`，将在 **RuntimeDefault** 模式的基础上构造 AppArmor/BPF Profiles。若为 `ture`，则在 **AlwaysAllow** 模式的基础上构造 AppArmor/BPF Profiles。<br><br>注意：当为 `true` 时，vArmor 不会为目标构造 Seccomp Profiles（默认值：false）
 |      |modelingOptions|duration<br>*int*|动态建模的时间（单位：分钟）[实验功能]
 |updateExistingWorkloads<br>*bool*|-|-|可选字段，用于指定是否对符合条件的工作负载进行滚动更新，从而在 Policy 创建或删除时，对目标工作负载开启或关闭防护（默认值：false）<br><br>注意：vArmor 只会对 Deployment, StatefulSet, or DaemonSet 类型的工作负载进行滚动更新，如果 `.spec.target.kind` 为 Pod，需要您自行重建 Pod 来开启或关闭防护。