Add the specification of seccomp userspace notification #1038
Conversation
| @@ -598,6 +598,9 @@ The following parameters can be specified to set up seccomp: | |||
| * `SECCOMP_FILTER_FLAG_TSYNC` | |||
| * `SECCOMP_FILTER_FLAG_LOG` | |||
| * `SECCOMP_FILTER_FLAG_SPEC_ALLOW` | |||
| * `SECCOMP_FILTER_FLAG_NEW_LISTENER` | |||
|
|
|||
| * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket which the runtime will pass the file descriptor of seccomp notification using SCM_RIGHT to. | |||
There was a problem hiding this comment.
We may want to prioritize the DLL interface rather than socket. containers/crun#438
cc @giuseppe
There was a problem hiding this comment.
do you think that should be part of the specs? I considered that more of a development tool. How would the .so handled? Through cgo?
There was a problem hiding this comment.
I'm sorry for the very late reply.
DLL interface is useful but I think we don' t need it as runtime-spec as @giuseppe said.
|
Hi @KentaTada. I started a similar proposal and we will discuss this topic at the OCI Weekly Discussion tomorrow. Maybe you can join? Sorry I hadn't noticed this PR before. |
No problem. Thank you for your contact. BTW, I'll take paternity leaves sometimes and my reply may be late. |
5338e05 to
696f563
Compare
|
Just rebased |
Co-authored-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com> Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
696f563 to
7733617
Compare
|
@KentaTada I've just opened this PR: #1074 that also overlaps. It is quite similar to this, but it specifies: how the UNIX socket should be used, and more importantly for our use case a seccomp state to be sent over the socket, so the agent can have information about the container (like the pod it is, etc.). IIUC, it should allow for your use case too. What do you think? Please feel free to review it :) |
|
PR #1074 added support for this (is already merged). I think it is safe to close this one :) |
This commit adds the specification of seccomp userspace notification.
The runtime will pass the file descriptor of seccomp notification via the UNIX domain socket using SCM_RIGHT to "listenerPath".
The reference link is below.
https://www.kernel.org/doc/html/v5.0/userspace-api/seccomp_filter.html#userspace-notification
I want to share our background. As Sony, we are building our rootless embedded container system. We need to hook some syscalls like mount(2) or mknod(2) inside our container and handle those syscalls in userspace in accordance with our use case.
I think this specification is useful for all container users, especially rootless container users.
Signed-off-by: Kenta Tada Kenta.Tada@sony.com