seccomp: custom annotation to load raw bpf

Add an annotation `run.oci.seccomp_bpf_data` to ignore the seccomp section in the OCI configuration file and use the specified file as the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Jan 26, 2021 · 8a4cf2d · 8a4cf2d
1 parent d883b62
commit 8a4cf2d
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 3 deletions.
diff --git a/crun.1 b/crun.1
@@ -467,6 +467,12 @@ are available on the \fB\fCld.so(8)\fR man page.
 If the annotation \fB\fCrun.oci.seccomp\_fail\_unknown\_syscall\fR is present, then crun
 will fail when an unknown syscall is encountered in the seccomp configuration.
 
+.SH \fB\fCrun.oci.seccomp\_bpf\_data\fR
+.PP
+If the annotation \fB\fCrun.oci.seccomp\_bpf\_data\fR is present, then crun
+ignores the seccomp section in the OCI configuration file and use the specified file
+as the raw data to the \fB\fCseccomp(SECCOMP\_SET\_MODE\_FILTER)\fR syscall.
+
 .SH \fB\fCrun.oci.keep\_original\_groups=1\fR
 .PP
 If the annotation \fB\fCrun.oci.keep\_original\_groups\fR is present, then crun

diff --git a/crun.1.md b/crun.1.md
@@ -371,6 +371,12 @@ are available on the `ld.so(8)` man page.
 If the annotation `run.oci.seccomp_fail_unknown_syscall` is present, then crun
 will fail when an unknown syscall is encountered in the seccomp configuration.
 
+## `run.oci.seccomp_bpf_data`
+
+If the annotation `run.oci.seccomp_bpf_data` is present, then crun
+ignores the seccomp section in the OCI configuration file and use the specified file
+as the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall.
+
 ## `run.oci.keep_original_groups=1`
 
 If the annotation `run.oci.keep_original_groups` is present, then crun

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -1950,9 +1950,29 @@ libcrun_container_run_internal (libcrun_container_t *container, libcrun_context_
       if (annotation && strcmp (annotation, "0") != 0)
         seccomp_gen_options = LIBCRUN_SECCOMP_FAIL_UNKNOWN_SYSCALL;
 
-      ret = libcrun_generate_seccomp (container, seccomp_fd, seccomp_gen_options, err);
-      if (UNLIKELY (ret < 0))
-        return cleanup_watch (context, pid, sync_socket, terminal_fd, err);
+      annotation = find_annotation (container, "run.oci.seccomp_bpf_data");
+      if (annotation == NULL)
+        {
+          ret = libcrun_generate_seccomp (container, seccomp_fd, seccomp_gen_options, err);
+          if (UNLIKELY (ret < 0))
+            return cleanup_watch (context, pid, sync_socket, terminal_fd, err);
+        }
+      else
+        {
+          cleanup_free char *file_content = NULL;
+          size_t size;
+
+          ret = read_all_file (annotation, &file_content, &size, err);
+          if (UNLIKELY (ret < 0))
+            return cleanup_watch (context, pid, sync_socket, terminal_fd, err);
+
+          ret = safe_write (seccomp_fd, file_content, (ssize_t) size);
+          if (UNLIKELY (ret < 0))
+            {
+              crun_make_error (err, 0, "write to seccomp fd");
+              return cleanup_watch (context, pid, sync_socket, terminal_fd, err);
+            }
+        }
       close_and_reset (&seccomp_fd);
     }