New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" #42005
Conversation
Nice! opencontainers/runtime-spec#1087 was just opened, and has a change I was also considering for a follow-up; with that, it's possible to create a profile that uses |
8cab879
to
dc1da4e
Compare
This comment has been minimized.
This comment has been minimized.
dc1da4e
to
20dc06e
Compare
Lots of whitespace changes, so diff is best viewed with |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
20dc06e
to
2cbf817
Compare
This makes the type better reflect the difference with the "runtime" profile; our local type is used to generate a runtime-spec seccomp profile and extends the runtime-spec type with additional fields; adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used during generation to adjust the profile based on the container (capabilities) and host's (architecture, kernel) configuration. This change introduces one change in the type; the "runtime-spec" type uses a `[]LinuxSeccompArg` for the `Args` field, whereas the local type used pointers; `[]*LinuxSeccompArg`. In addition, the runtime-spec Syscall type brings a new `ErrnoRet` field, allowing the profile to specify the errno code returned for the syscall, which allows changing the default EPERM for specific syscalls. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These fields are optional, and this makes the JSON representation slightly less verbose. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2cbf817
to
c7cd1b9
Compare
@AkihiroSuda @tianon PTAL 🤗 (justin told me he currently doesn't have time to review) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lots of whitespace changes, so diff is best viewed with
?w=1
; https://github.com/moby/moby/pull/42005/files?w=1
I am Very Smart, so I rediscovered this the hard way 👍
Aw, man, sorry! I should've mentioned it in the top comment instead 😞 2 LGTM's now, so let me bring this one in. I'll have a look at the follow-up as well; see #42005 (comment)
With that change we will have the option (at least) to switch the profile to use |
Refactor seccomp types to reuse runtime-spec, and add support for "ErrnoRet" Signed-off-by: Mark Feit <mfeit@internet2.edu>
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)