diff --git a/crun.1 b/crun.1 index 1de638e38c..25ccd93e70 100644 --- a/crun.1 +++ b/crun.1 @@ -467,6 +467,12 @@ are available on the \fB\fCld.so(8)\fR man page. If the annotation \fB\fCrun.oci.seccomp\_fail\_unknown\_syscall\fR is present, then crun will fail when an unknown syscall is encountered in the seccomp configuration. +.SH \fB\fCrun.oci.seccomp\_bpf\_data\fR +.PP +If the annotation \fB\fCrun.oci.seccomp\_bpf\_data\fR is present, then crun +ignores the seccomp section in the OCI configuration file and use the specified file +as the raw data to the \fB\fCseccomp(SECCOMP\_SET\_MODE\_FILTER)\fR syscall. + .SH \fB\fCrun.oci.keep\_original\_groups=1\fR .PP If the annotation \fB\fCrun.oci.keep\_original\_groups\fR is present, then crun diff --git a/crun.1.md b/crun.1.md index 354b706f9f..355e29cf88 100644 --- a/crun.1.md +++ b/crun.1.md @@ -371,6 +371,12 @@ are available on the `ld.so(8)` man page. If the annotation `run.oci.seccomp_fail_unknown_syscall` is present, then crun will fail when an unknown syscall is encountered in the seccomp configuration. +## `run.oci.seccomp_bpf_data` + +If the annotation `run.oci.seccomp_bpf_data` is present, then crun +ignores the seccomp section in the OCI configuration file and use the specified file +as the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall. + ## `run.oci.keep_original_groups=1` If the annotation `run.oci.keep_original_groups` is present, then crun diff --git a/src/libcrun/container.c b/src/libcrun/container.c index f6e60ae3c9..93d08c90f0 100644 --- a/src/libcrun/container.c +++ b/src/libcrun/container.c @@ -1950,9 +1950,29 @@ libcrun_container_run_internal (libcrun_container_t *container, libcrun_context_ if (annotation && strcmp (annotation, "0") != 0) seccomp_gen_options = LIBCRUN_SECCOMP_FAIL_UNKNOWN_SYSCALL; - ret = libcrun_generate_seccomp (container, seccomp_fd, seccomp_gen_options, err); - if (UNLIKELY (ret < 0)) - return cleanup_watch (context, pid, sync_socket, terminal_fd, err); + annotation = find_annotation (container, "run.oci.seccomp_bpf_data"); + if (annotation == NULL) + { + ret = libcrun_generate_seccomp (container, seccomp_fd, seccomp_gen_options, err); + if (UNLIKELY (ret < 0)) + return cleanup_watch (context, pid, sync_socket, terminal_fd, err); + } + else + { + cleanup_free char *file_content = NULL; + size_t size; + + ret = read_all_file (annotation, &file_content, &size, err); + if (UNLIKELY (ret < 0)) + return cleanup_watch (context, pid, sync_socket, terminal_fd, err); + + ret = safe_write (seccomp_fd, file_content, (ssize_t) size); + if (UNLIKELY (ret < 0)) + { + crun_make_error (err, 0, "write to seccomp fd"); + return cleanup_watch (context, pid, sync_socket, terminal_fd, err); + } + } close_and_reset (&seccomp_fd); }