Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: custom annotation to load raw bpf #578

Merged
merged 1 commit into from
Feb 11, 2021
Merged

seccomp: custom annotation to load raw bpf #578

merged 1 commit into from
Feb 11, 2021

Conversation

giuseppe
Copy link
Member

@giuseppe giuseppe commented Jan 26, 2021
edited
Loading

Add an annotation run.oci.seccomp_bpf_file to ignore the seccomp
section in the OCI configuration file and use the specified file as
the raw data to the seccomp(SECCOMP_SET_MODE_FILTER) syscall.

this is how I am using the new annotation: https://www.scrivano.org/posts/2021-01-30-easyseccomp/

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe giuseppe marked this pull request as draft January 26, 2021 20:30
@giuseppe giuseppe marked this pull request as ready for review January 26, 2021 20:32
@giuseppe giuseppe force-pushed the seccomp-raw branch 4 times, most recently from cb9cbfd to 6551493 Compare February 2, 2021 15:19
@giuseppe giuseppe force-pushed the seccomp-raw branch 2 times, most recently from 698e586 to 9d29983 Compare February 8, 2021 11:28
@giuseppe
Copy link
Member Author

giuseppe commented Feb 8, 2021

some initial plumbing for Podman: https://github.com/giuseppe/libpod/tree/easyseccomp

@rhatdan
Copy link
Member

rhatdan commented Feb 11, 2021

Why have both a data field and a file field?

@giuseppe
Copy link
Member Author

Why have both a data field and a file field?

the data file makes it easier to use with the existing container tools. Instead the file field is easier for development as I can change the BPF program and test the container just by setting an annotation.

I can drop the file field though as I can live with the data field

@rhatdan
Copy link
Member

rhatdan commented Feb 11, 2021

I just found having two ways to do this, confusing.

giuseppe added a commit to giuseppe/libpod that referenced this pull request Feb 11, 2021
@giuseppe
specgen: support --security-opt easyseccomp=
e1e5e00 
start plumbing support for easyseccomp.

Requires: containers/crun#578

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
Copy link
Member Author

dropped the run.oci.seccomp_bpf_file annotation

@giuseppe
seccomp: custom annotation to load raw bpf
df01709 
Add an annotation `run.oci.seccomp_bpf_data` to ignore the seccomp
section in the OCI configuration file and use the specified file as
the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
rhatdan
rhatdan approved these changes Feb 11, 2021
View reviewed changes
Copy link
Member

@rhatdan rhatdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan rhatdan merged commit 3cca0b7 into containers:master Feb 11, 2021
@giuseppe giuseppe mentioned this pull request Feb 21, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan rhatdan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@giuseppe @rhatdan