specgen: support --security-opt easyseccomp=

start plumbing support for easyseccomp. Requires: containers/crun#578 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe · Feb 11, 2021 · e1e5e00 · e1e5e00
1 parent 2bdf286
commit e1e5e00
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 14 deletions.
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
@@ -531,6 +531,9 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 			case "seccomp":
 				s.SeccompProfilePath = con[1]
 				s.Annotations[define.InspectAnnotationSeccomp] = con[1]
+			case "easyseccomp":
+				s.EasySeccompProfilePath = con[1]
+				s.Annotations[define.InspectAnnotationEasySeccomp] = con[1]
 			// this option is for docker compatibility, it is the same as unmask=ALL
 			case "systempaths":
 				if con[1] == "unconfined" {

diff --git a/libpod/define/annotations.go b/libpod/define/annotations.go
@@ -52,6 +52,12 @@ const (
 	// If an annotation with this key is found in the OCI spec, it will be
 	// used in the output of Inspect().
 	InspectAnnotationSeccomp = "io.podman.annotations.seccomp"
+	// InspectAnnotationEasySeccomp is used by Inspect to identify containers
+	// with special EasySeccomp-related settings. It is used to populate the
+	// output of the SecurityOpt setting in Inspect.
+	// If an annotation with this key is found in the OCI spec, it will be
+	// used in the output of Inspect().
+	InspectAnnotationEasySeccomp = "io.podman.annotations.easy-seccomp"
 	// InspectAnnotationApparmor is used by Inspect to identify containers
 	// with special Apparmor-related settings. It is used to populate the
 	// output of the SecurityOpt setting.

diff --git a/pkg/specgen/generate/config_linux_cgo.go b/pkg/specgen/generate/config_linux_cgo.go
@@ -5,61 +5,75 @@ package generate
 import (
 	"context"
 	"io/ioutil"
+	"path/filepath"
 
 	goSeccomp "github.com/containers/common/pkg/seccomp"
 	"github.com/containers/podman/v2/libpod/image"
 	"github.com/containers/podman/v2/pkg/seccomp"
 	"github.com/containers/podman/v2/pkg/specgen"
+	easyseccomp "github.com/giuseppe/easyseccomp/pkg/easyseccomp"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
-func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, error) {
+func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image, tmpdir string) (*spec.LinuxSeccomp, map[string]string, error) {
 	var seccompConfig *spec.LinuxSeccomp
 	var err error
 	scp, err := seccomp.LookupPolicy(s.SeccompPolicy)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if scp == seccomp.PolicyImage {
 		if img == nil {
-			return nil, errors.New("cannot read seccomp profile without a valid image")
+			return nil, nil, errors.New("cannot read seccomp profile without a valid image")
 		}
 		labels, err := img.Labels(context.Background())
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		imagePolicy := labels[seccomp.ContainerImageLabel]
 		if len(imagePolicy) < 1 {
-			return nil, errors.New("no seccomp policy defined by image")
+			return nil, nil, errors.New("no seccomp policy defined by image")
 		}
 		logrus.Debug("Loading seccomp profile from the security config")
 		seccompConfig, err = goSeccomp.LoadProfile(imagePolicy, configSpec)
 		if err != nil {
-			return nil, errors.Wrap(err, "loading seccomp profile failed")
+			return nil, nil, errors.Wrap(err, "loading seccomp profile failed")
 		}
-		return seccompConfig, nil
+		return seccompConfig, nil, nil
+	}
+
+	if s.EasySeccompProfilePath != "" {
+		logrus.Debugf("Loading easy seccomp profile from %q", s.EasySeccompProfilePath)
+		opts := easyseccomp.LoadProfileOptions{
+			TmpDir: filepath.Join(tmpdir, "easyseccomp"),
+		}
+		seccompConfig, annotations, err := easyseccomp.LoadProfile(s.EasySeccompProfilePath, configSpec, &opts)
+		if err != nil {
+			return nil, nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.EasySeccompProfilePath)
+		}
+		return seccompConfig, annotations, nil
 	}
 
 	if s.SeccompProfilePath != "" {
 		logrus.Debugf("Loading seccomp profile from %q", s.SeccompProfilePath)
 		seccompProfile, err := ioutil.ReadFile(s.SeccompProfilePath)
 		if err != nil {
-			return nil, errors.Wrap(err, "opening seccomp profile failed")
+			return nil, nil, errors.Wrap(err, "opening seccomp profile failed")
 		}
 		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
 		if err != nil {
-			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
+			return nil, nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
 		}
 	} else {
 		logrus.Debug("Loading default seccomp profile")
 		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
 		if err != nil {
-			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
+			return nil, nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", s.SeccompProfilePath)
 		}
 	}
 
-	return seccompConfig, nil
+	return seccompConfig, nil, nil
 }
diff --git a/pkg/specgen/generate/config_linux_nocgo.go b/pkg/specgen/generate/config_linux_nocgo.go
@@ -10,6 +10,6 @@ import (
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
-func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, error) {
-	return nil, errors.New("not implemented")
+func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *image.Image) (*spec.LinuxSeccomp, map[string]string, error) {
+	return nil, nil, errors.New("not implemented")
 }
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
@@ -164,11 +164,14 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 
 	// HANDLE SECCOMP
 	if s.SeccompProfilePath != "unconfined" {
-		seccompConfig, err := getSeccompConfig(s, configSpec, newImage)
+		seccompConfig, annotations, err := getSeccompConfig(s, configSpec, newImage, rtc.Engine.TmpDir)
 		if err != nil {
 			return err
 		}
 		configSpec.Linux.Seccomp = seccompConfig
+		for k, v := range annotations {
+			configSpec.Annotations[k] = v
+		}
 	}
 
 	// Clear default Seccomp profile from Generator for unconfined containers

diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
@@ -284,6 +284,11 @@ type ContainerSecurityConfig struct {
 	// SeccompPolicy determines which seccomp profile gets applied
 	// the container. valid values: empty,default,image
 	SeccompPolicy string `json:"seccomp_policy,omitempty"`
+	// EasySeccompProfilePath is the path to a file containing the
+	// container's EasySeccomp profile.
+	// If not specified, no EasySeccomp profile will be used.
+	// Optional.
+	EasySeccompProfilePath string `json:"easy_seccomp_profile_path,omitempty"`
 	// SeccompProfilePath is the path to a JSON file containing the
 	// container's Seccomp profile.
 	// If not specified, no Seccomp profile will be used.