Skip to content

seccomp: custom annotation to load raw bpf#578

Merged
rhatdan merged 1 commit intocontainers:masterfrom
giuseppe:seccomp-raw
Feb 11, 2021
Merged

seccomp: custom annotation to load raw bpf#578
rhatdan merged 1 commit intocontainers:masterfrom
giuseppe:seccomp-raw

Conversation

@giuseppe
Copy link
Copy Markdown
Member

@giuseppe giuseppe commented Jan 26, 2021
edited
Loading

Add an annotation run.oci.seccomp_bpf_file to ignore the seccomp
section in the OCI configuration file and use the specified file as
the raw data to the seccomp(SECCOMP_SET_MODE_FILTER) syscall.

this is how I am using the new annotation: https://www.scrivano.org/posts/2021-01-30-easyseccomp/

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe giuseppe marked this pull request as draft January 26, 2021 20:30
@giuseppe giuseppe marked this pull request as ready for review January 26, 2021 20:32
@giuseppe giuseppe force-pushed the seccomp-raw branch 4 times, most recently from cb9cbfd to 6551493 Compare February 2, 2021 15:19
@giuseppe giuseppe force-pushed the seccomp-raw branch 2 times, most recently from 698e586 to 9d29983 Compare February 8, 2021 11:28
@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Feb 8, 2021

some initial plumbing for Podman: https://github.com/giuseppe/libpod/tree/easyseccomp

@rhatdan
Copy link
Copy Markdown
Member

rhatdan commented Feb 11, 2021

Why have both a data field and a file field?

@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Feb 11, 2021

Why have both a data field and a file field?

the data file makes it easier to use with the existing container tools. Instead the file field is easier for development as I can change the BPF program and test the container just by setting an annotation.

I can drop the file field though as I can live with the data field

@rhatdan
Copy link
Copy Markdown
Member

rhatdan commented Feb 11, 2021

I just found having two ways to do this, confusing.

giuseppe added a commit to giuseppe/libpod that referenced this pull request Feb 11, 2021
@giuseppe
specgen: support --security-opt easyseccomp=
e1e5e00 
start plumbing support for easyseccomp.

Requires: containers/crun#578

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Feb 11, 2021

dropped the run.oci.seccomp_bpf_file annotation

@giuseppe
seccomp: custom annotation to load raw bpf
df01709 
Add an annotation `run.oci.seccomp_bpf_data` to ignore the seccomp
section in the OCI configuration file and use the specified file as
the raw data to the `seccomp(SECCOMP_SET_MODE_FILTER)` syscall.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
rhatdan
rhatdan approved these changes Feb 11, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@rhatdan rhatdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan rhatdan merged commit 3cca0b7 into containers:master Feb 11, 2021
@giuseppe giuseppe mentioned this pull request Feb 21, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhatdan rhatdan rhatdan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@giuseppe @rhatdan