docs: update seccomp documentation#4902
Conversation
| ``` | ||
|
|
||
| *TODO: seccomp work is being done to find a good default config* | ||
| *Seccomp filtering is supported with configurable default profiles* |
There was a problem hiding this comment.
Not sure what you mean with a configurable default profile. There is no default profile AFAIK.
Also, considering how extensive this doc tends to be, maybe we can add some example seccomp profile here?
There was a problem hiding this comment.
I was about to comment the same thing -- this is talking about the default configuration for runc, and we don't have a default seccomp profile. Upstream runtimes have their own profiles but we do not yet have a default one.
But yes, a better PR would be to provide an example (maybe just taking the Podman one? I wouldn't use the Docker one since it still suffers from the EPERM issue described in moby/moby#42871.).
b9cb4c8 to
a221b17
Compare
|
|
||
| **Example seccomp profile:** | ||
| An example seccomp profile based on Podman's default configuration is available at: | ||
| [examples/seccomp/podman-default.json](../examples/seccomp/podman-default.json) |
There was a problem hiding this comment.
I don't think this JSON has to be put in the repo.
You can just put a hyperlink
There was a problem hiding this comment.
Also, OCI seccomp is different from libcontainer seccomp.
See how it is converted here
runc/libcontainer/specconv/spec_linux.go
Line 1139 in 00aec12
There was a problem hiding this comment.
yes, going to do that.
06ea960 to
43b3b58
Compare
| Note: This is an OCI seccomp profile. Runc converts OCI seccomp profiles to libcontainer format | ||
| using the `SetupSeccomp` function in `libcontainer/specconv/spec_linux.go`. | ||
|
|
||
| **Example OCI seccomp format:** |
There was a problem hiding this comment.
A single example should suffice
rata
left a comment
There was a problem hiding this comment.
Thanks! Let's make the style more in-line with the rest of the file
43b3b58 to
f14c63e
Compare
rata
left a comment
There was a problem hiding this comment.
Mostly LGTM now, thanks! Left an important question, though
|
|
||
| Seccomp can be used to filter the syscalls a container can use. The filter used is quite expressive. For example, a filter can allow only a syscall when used with a specific parameter is allowed, change the errno returned or even forward it to a user-space agent to act on it. | ||
|
|
||
| Example OCI seccomp profile: |
There was a problem hiding this comment.
yes, I built runc with seccomp tag, used runc spec then added that profile to it, and ran a container successfully.
f14c63e to
f7e6cdc
Compare
f7e6cdc to
656677b
Compare
| The primary | ||
| use-case is to provide an explicit allow-list of syscalls for a container, to |
| libcontainer | ||
| does not currently provide a default filter, but higher-level runtimes tend to |
| libcontainer | ||
| does not currently provide a default filter, but higher-level runtimes tend to | ||
| define their own filters for use with runc. Here is an example OCI seccomp | ||
| profile (see *the runtime specification* *oci-runtime-seccomp* for more |
There was a problem hiding this comment.
I guess this is intended to be a link but it's broken?
| ``` | ||
|
|
||
| *TODO: seccomp work is being done to find a good default config* | ||
| **seccomp** can be used to apply filters to the system calls used in |
There was a problem hiding this comment.
Here you broke the link too.
What @cyphar showed with the [ ] is a markdown syntax to put links. You removed it, but we want it like that for the links :)
656677b to
2fe8f87
Compare
|
Thanks @rata for the clarification. |
|
@cyphar changes are done. |
2fe8f87 to
e7ea570
Compare
| vulnerabilities, so a strong seccomp filter is highly recommended. | ||
|
|
||
| libcontainer does not currently provide a default filter, but higher-level | ||
| runtimes tend to define their own filters for use with runc. Here is an example |
There was a problem hiding this comment.
"Here is an example" is probably a leftover from earlier versions.
There was a problem hiding this comment.
yes, thanks. done.
e7ea570 to
85582c1
Compare
|
@cyphar Do you mind adding you as co-author here? since the changes now almost yours. |
| libcontainer does not provide a default filter, but higher-level | ||
| runtimes tend to define their own filters for use with runc (see | ||
| [oci-runtime-seccomp](https://github.com/opencontainers/runtime-spec/blob/v1.2.1/config-linux.md#seccomp) | ||
| for more information on how to write your own filters) |
85582c1 to
afd8e4b
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR updates the seccomp documentation in the libcontainer specification by replacing a TODO placeholder with comprehensive information about seccomp functionality and usage.
- Replaces a TODO comment with detailed explanation of seccomp functionality
- Adds information about filter expressions, actions, and security benefits
- Includes reference to OCI runtime seccomp documentation for filter creation guidance
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| emitting a log entry, or permitting the syscall to execute). | ||
|
|
||
| The primary use-case is to provide an explicit allow-list of syscalls for a | ||
| container, to reduce the kernel API attack surface exposed the container. |
There was a problem hiding this comment.
Missing word 'to' - should read 'exposed to the container'.
| container, to reduce the kernel API attack surface exposed the container. | |
| container, to reduce the kernel API attack surface exposed to the container. |
afd8e4b to
fb37d8f
Compare
Replace outdated TODO comment with updated information about runc's seccomp support. Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
fb37d8f to
e0632cc
Compare
I think all your requested changes have been addressed.
Update seccomp documentation.