Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" #42005
Conversation
thaJeztah
added
area/security/seccomp
impact/changelog
kind/enhancement
|
Nice! opencontainers/runtime-spec#1087 was just opened, and has a change I was also considering for a follow-up; with that, it's possible to create a profile that uses |
thaJeztah
force-pushed
the
refactor_seccomp
branch
from
8cab879
to
dc1da4e
Compare
This comment has been minimized.
This comment has been minimized.
thaJeztah
force-pushed
the
refactor_seccomp
branch
from
dc1da4e
to
20dc06e
Compare
|
Lots of whitespace changes, so diff is best viewed with |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
thaJeztah
force-pushed
the
refactor_seccomp
branch
from
20dc06e
to
2cbf817
Compare
This makes the type better reflect the difference with the "runtime" profile;
our local type is used to generate a runtime-spec seccomp profile and extends
the runtime-spec type with additional fields; adding a "Name" field for backward
compatibility with older JSON representations, additional "Comment" metadata,
and conditional rules ("Includes", "Excludes") used during generation to adjust
the profile based on the container (capabilities) and host's (architecture, kernel)
configuration.
This change introduces one change in the type; the "runtime-spec" type uses a
`[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers;
`[]*LinuxSeccompArg`.
In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing
the profile to specify the errno code returned for the syscall, which allows
changing the default EPERM for specific syscalls.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
refactor_seccomp
branch
from
2cbf817
to
c7cd1b9
Compare
|
@AkihiroSuda @tianon PTAL 🤗 (justin told me he currently doesn't have time to review) |
There was a problem hiding this comment.
Lots of whitespace changes, so diff is best viewed with
?w=1; https://github.com/moby/moby/pull/42005/files?w=1
I am Very Smart, so I rediscovered this the hard way 👍
Aw, man, sorry! I should've mentioned it in the top comment instead 😞 2 LGTM's now, so let me bring this one in. I'll have a look at the follow-up as well; see #42005 (comment)
With that change we will have the option (at least) to switch the profile to use |
Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" Signed-off-by: Mark Feit <mfeit@internet2.edu>
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)