Skip to content

Commit

Permalink
libct/seccomp/config: add missing KillThread, KillProcess
Browse files Browse the repository at this point in the history
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] opencontainers/runtime-spec#1044
[2] opencontainers/runtime-spec#1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb)
(cherry picked from commit 68427f3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
  • Loading branch information
kolyshkin committed May 20, 2022
1 parent e4474ef commit d105e05
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 10 deletions.
16 changes: 9 additions & 7 deletions libcontainer/seccomp/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,15 @@ func KnownOperators() []string {
}

var actions = map[string]configs.Action{
"SCMP_ACT_KILL": configs.Kill,
"SCMP_ACT_ERRNO": configs.Errno,
"SCMP_ACT_TRAP": configs.Trap,
"SCMP_ACT_ALLOW": configs.Allow,
"SCMP_ACT_TRACE": configs.Trace,
"SCMP_ACT_LOG": configs.Log,
"SCMP_ACT_NOTIFY": configs.Notify,
"SCMP_ACT_KILL": configs.Kill,
"SCMP_ACT_ERRNO": configs.Errno,
"SCMP_ACT_TRAP": configs.Trap,
"SCMP_ACT_ALLOW": configs.Allow,
"SCMP_ACT_TRACE": configs.Trace,
"SCMP_ACT_LOG": configs.Log,
"SCMP_ACT_NOTIFY": configs.Notify,
"SCMP_ACT_KILL_THREAD": configs.KillThread,
"SCMP_ACT_KILL_PROCESS": configs.KillProcess,
}

// KnownActions returns the list of the known actions.
Expand Down
21 changes: 18 additions & 3 deletions libcontainer/specconv/spec_linux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,14 @@ func TestSetupSeccomp(t *testing.T) {
Names: []string{"mknod"},
Action: "SCMP_ACT_NOTIFY",
},
{
Names: []string{"rmdir"},
Action: "SCMP_ACT_KILL_THREAD",
},
{
Names: []string{"mkdir"},
Action: "SCMP_ACT_KILL_PROCESS",
},
},
}
seccomp, err := SetupSeccomp(conf)
Expand Down Expand Up @@ -263,9 +271,8 @@ func TestSetupSeccomp(t *testing.T) {

calls := seccomp.Syscalls

callsLength := len(calls)
if callsLength != 8 {
t.Errorf("Expected 8 syscalls, got :%d", callsLength)
if len(calls) != len(conf.Syscalls) {
t.Error("Mismatched number of syscalls")
}

for _, call := range calls {
Expand Down Expand Up @@ -317,6 +324,14 @@ func TestSetupSeccomp(t *testing.T) {
if call.Action != configs.Notify {
t.Errorf("Wrong conversion for the %s syscall action", call.Name)
}
case "rmdir":
if call.Action != configs.KillThread {
t.Errorf("Wrong conversion for the %s syscall action", call.Name)
}
case "mkdir":
if call.Action != configs.KillProcess {
t.Errorf("Wrong conversion for the %s syscall action", call.Name)
}
default:
t.Errorf("Unexpected syscall %s found", call.Name)
}
Expand Down

0 comments on commit d105e05

Please sign in to comment.